Date: Thu, 31 Jul 2003 14:37:34 -0700 From: Kris Kennaway <kris@obsecurity.org> To: polytarp@cyberspace.org Cc: freebsd-security@freebsd.org Subject: Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug Message-ID: <20030731213734.GA15002@rot13.obsecurity.org> In-Reply-To: <Pine.SUN.3.96.1030731172959.25972A-100000@grex.cyberspace.org> References: <5.2.0.9.0.20030731144633.05832008@209.112.4.2> <Pine.SUN.3.96.1030731172959.25972A-100000@grex.cyberspace.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 31, 2003 at 05:31:46PM -0400, polytarp@cyberspace.org wrote: > On Thu, 31 Jul 2003 mike@sentex.net wrote: >=20 > > At 02:40 PM 31/07/2003 -0400, polytarp@cyberspace.org wrote: > >=20 > >=20 > > >Buffer overflows which work on Linux do not work on FreeBSD. > >=20 > >=20 > > You need to qualify that statement. Yes, there are some that will not = be=20 > > relevant and the exact same exploit code will not work. But "Buffer= =20 > > overflows which work on Linux do not work on FreeBSD" is dangerously=20 > > misleading.... In the case of wu-ftpd there have been several issues in= the=20 > > past that affected both FreeBSD and Linux. Same bug, different exploit= =20 > > code, both vulnerable. That being said, I havent had a chance to revie= w=20 > > this one so I dont know. > >=20 >=20 > No, you're wrong. Even a different COMPILER -- let alone a different > OPERATING SYSTEM -- can make buffer overflows not work. 1) Can !=3D will. In most cases these vulnerabilities are fairly OS-neutral. 2) It is true that a given exploit for the overflowable buffer will not usually work on a different OS, but that doesn't mean that one cannot be easily developed to exploit that OS. Kris --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/KYweWry0BWjoQKURAh6IAJ9fu2FrWWVGFTt5YCSt2Q+nSHU6XQCg79Qt J/T9iQ96Bl3vhy6TJWH4TJ0= =51TZ -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030731213734.GA15002>