lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 04 Aug 2003 09:55:16 +0200
From: Przemyslaw Frasunek <venglin@...ebsd.lublin.pl>
To: bugtraq@...urityfocus.com
Subject: Re: wu-ftpd fb_realpath() off-by-one bug


Użytkownik Janusz Niewiadomski napisał:
> This bug may be non-exploitable if size of the buffer is greater than
> MAXPATHLEN characters. This may occur for example if wu-ftpd is compiled
> with some versions of Linux kernel where PATH_MAX (and MAXPATHLEN 
> accordingly) is defined to be exactly 4095 characters. In such cases,
> the buffer is padded with an extra byte because of variable alignment 
> which is a result of code optimization.

Actually, this bug is (probably) also non-exploitable when wu-ftpd is 
compiled using the gcc 3.x, which aligns stack variables in a different way:

(gdb) b fb_realpath
Breakpoint 1 at 0x8063c72: file realpath.c, line 103.
(gdb) cont
Continuing.
(gdb) x/bx &resolved[4096]
0xbfffc770:     0x00
(gdb) awatch *0xbfffc770
Hardware access (read/write) watchpoint 2: *3221210992
(gdb) cont
Continuing.
Hardware access (read/write) watchpoint 2: *3221210992

Value = 0
0x400d81d9 in strcat () from /lib/libc.so.6

In my example (wu-ftpd 2.6.2 compiled on Debian with gcc 3.3.1), the 
address of NULL-overflowed byte is 0xbfffc770 and the saved %ebp is located 
at 0xbfffc788:

(gdb) info frame 2
Stack frame at 0xbfffc788:
  eip = 0x8063ae4 in wu_realpath (realpath.c:60); saved eip 0x8053b35
  called by frame at 0xbfffe7d8, caller of frame at 0xbfffb748
  source language c.
  Arglist at 0xbfffc788, args: path=0x808cef0 'A' <repeats 200 times>...,
     resolved_path=0xbfffc7a0 "\001\001", chroot_path=0x8082e60 ""
  Locals at 0xbfffc788, Previous frame's sp in esp
  Saved registers:
   ebx at 0xbfffc784, ebp at 0xbfffc788, eip at 0xbfffc78c

I have tested the generic RedHat 8.0 (which provides wu-ftpd-2.6.2-5 
compiled with gcc 3.x) and the behaviour was exactly the same.

Wu-ftpd suppiled with Debian Woody also seems to be non-exploitable -- it's 
  compiled on kernel 2.2 with PATH_MAX 4095.

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@...sunek.com ** keyId: 2578FCAD | C0613BE3 | EC78FAB5 *

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ