Date: Sat, 1 Dec 2001 12:25:44 +0100 From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl> To: Konrad Heuer <kheuer@gwdu60.gwdg.de>, freebsd-security@freebsd.org Subject: Re: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability (fwd) Message-ID: <200112011125.fB1BPjf74314@mailhost.freebsd.lublin.pl> In-Reply-To: <20011130095138.F55193-100000@gwdu60.gwdg.de> References: <20011130095138.F55193-100000@gwdu60.gwdg.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 30 November 2001 09:53, Konrad Heuer wrote:
> Any opinions whether wu-ftpd on FreeBSD is vulnerable too? To my mind, it
> seems so.
actually, wu-ftpd on FreeBSD is vulnerable, but phk-malloc design prevents
from exploiting this. typical scenario of exploitation on linux box is:
- attacker populates heap with pointers to proctitle buf by calling few times
'STAT ~{ptrptrptrptr'
- after that, attacker does 'STAT {~' which calls two times blockfree() in
ftpglob() and malicious 'ptr' is passed to free()
- in proctitle buf there is a fake malloc chunk, pointing to syslog() GOT
entry and shellcode, also located in proctitle buf
- free() when trying to deallocate fake chunk overwrites pointer to syslog()
function and then segfaults
- segfault sighandler calls syslog() and shellcode is executed
as you can see, exploitation of this vulnerability isn't so simple. after
spending long hours with gdb, looks like it's exploitable only on dlmalloc
from glibc.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112011125.fB1BPjf74314>