[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[stalk:00289] Re: FTP $B%5!<%P$K%;%-%e%j%F%#%[!<%k(B

To: security-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [stalk:00289] Re: FTP $B%5!<%P$K%;%-%e%j%F%#%[!<%k(B
From: Koga Youichirou <y-koga@xxxxxxxxxxxxxxxx>
Date: Wed, 11 Apr 2001 14:51:04 +0900 (JST)

Shikap <shikap@xxxxxxxxxxxx>:
(B> BSD$B$N%"%I%P%$%6%j$NFbMF$J$I$+$iC1=c$K9M$($k$H!"(B
(B> $B!VLdBj$N$"$k(Bglob()$B$r;H$C$F$$$k%W%m%0%i%`$O1F6A$rl9g$O(B glob() $B$r;HMQ$7$F$$$^$9(B
$B$7!"$=$&$G$J$$>l9g$O(B ls $B$KEO$90z?t$O(B C shell $BM3Mh$N(B glob() $B$r;H$C$FE8(B
$B3+$7$F$$$k$C%]%$$G$9(B ($B%3%a%s%H$r8+$k8B$j(B)$B!#(B
(B
$B$b$H$b$H$N(B COVERT Labs Security Advisory $B$K$h$k$H!"(B
(B
(B> Implementations based off of the c-shell globbing code contain a
(B> buffer overflow that can be triggered by supplying a pattern string
(B> such that a set of brackets {} is followed by a string that is longer
(B> than the length reserved for the stack based buffer defined in
(B> execbrc().  This could be exploited by utilizing a code path in the
(B> FTP daemon that fed the expanded output of one globbed pathname into
(B> a second call to glob().
(B> 
(B> BSD implementations of glob() contain four exploitable buffer
(B> overflows. The first buffer overflow occurs in the static utility
(B> function g_opendir(), which copies the provided pathname onto the
(B> stack. This is performed using the function g_Ctoc, which converts a
(B> 16-bit character string to an 8-bit character string, but otherwise
(B> works like strcpy. Similar overflows occur in g_lstat(), and
(B> g_stat(). A fourth overflow, one that affects the stack based buffer
(B> reserved in glob0, is the result of the behavior of the mutually
(B> recursive functions glob2() and glob3().
(B
(Bbased *off* $B$J$N$G!"J,$+$C$F$$$k$N$O(B BSD (4.4BSD $B$G$7$g$&(B) $BM3Mh$N(B 
(Bglob() $B$KLdBj$,$"$C$F!"(BC shell $BM3Mh$J$i$PBg>fIW$H$$$&$3$H$J$N$@$H(B
$B;W$C$F$$$^$9!#(B
(B----
$B$3$,$h$&$$$A$m$&(B
$B!t!V(BC shell $BM3Mh$G$J$$http://www.infoseek.co.jp/Playspot?pg=playspot_top.html&svx=971122

Follow-Ups:
- [stalk:00290] Re: FTP $B%5!<%P$K%;%-%e%j%F%#%[!<%k(J
  - From: Shikap

References:
- [stalk:00285] Re: FTP $B%5!<%P$K(B$B%;%-%e%j%F%#%[!<%k(B
  - From: KOJIMA Hajime / $B>.EgH%(B
- [stalk:00287] Re: FTP $B%5!<%P$K%;%-%e%j%F%#%[!<%k(J
  - From: Shikap

Prev by Date: [stalk:00288] Re: FTP $B%5!<%P$K%;%-%e%j%F%#%[!<%k(J
Next by Date: [stalk:00290] Re: FTP $B%5!<%P$K%;%-%e%j%F%#%[!<%k(J
Previous by thread: [stalk:00287] Re: FTP $B%5!<%P$K%;%-%e%j%F%#%[!<%k(J
Next by thread: [stalk:00290] Re: FTP $B%5!<%P$K%;%-%e%j%F%#%[!<%k(J
Index(es):
- Date
- Thread

[stalk:00289] Re: FTP $B%5!<%P$K%;%-%e%j%F%#%[!<%k(B

[stalk:00289] Re: FTP $B%5!<%P$K%;%-%e%j%F%#%[!<%k(B