lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050219201458.12943.qmail@www.securityfocus.com>
Date: 19 Feb 2005 20:14:58 -0000
From: yan feng <jsk@...nt0m.net>
To: bugtraq@...urityfocus.com
Subject: webfsd fun. opensource is god .lol windows




                          webfsd fun. opensource is god .lol windows


                                pst.security advisory 2005-2-20


Systems affected:
unstable webfsd 1.21
stable wenfsd 1.17.2


no affected


no..all remote exploitable



1:  why advisory?  this bug is found two years ago ,yeach, debian   and webfsd coder can't path this   hehe...:P   it is no problem...  this  is not power ...so pub it


2:  Description:
all webfsd can be remote exploit easily by writeable dir...

see gdb ..:P

problem  is in ls.c....   i don't want to path it..hehe 


static char* 
ls(time_t now, char *hostname, char *filename, char *path, int *length)
{
    DIR            *dir;
    struct dirent  *file;
    struct myfile  **files = NULL;
    struct myfile  **re1;
    char           *h1,*h2,*re2,*buf = NULL;
    int            count,len,size,i,uid,gid;
    char           line[1024];
    char           *pw = NULL, *gr = NULL;

    if (debug)
	fprintf(stderr,"dir: reading %s\n",filename);
    if (NULL == (dir = opendir(filename)))
	return NULL;

    /* read dir */
    uid = getuid();
    gid = getgid();
    for (count = 0;; count++) {
	if (NULL == (file = readdir(dir)))
	    break;
	if (0 == strcmp(file->d_name,".")) {
	    /* skip the the "." directory */
	    count--;
	    continue;
	}
	if (0 == strcmp(path,"/") && 0 == strcmp(file->d_name,"..")) {
	    /* skip the ".." directory in root dir */
	    count--;
	    continue;
	}

	if (0 == (count % 64)) {
	    re1 = realloc(files,(count+64)*sizeof(struct myfile*));.....  it is not good code tips.:P
	    if (NULL == re1)
		goto oom;
	    files = re1;
	}

	files[count] = malloc(strlen(file->d_name)+sizeof(struct myfile));
	if (NULL == files[count])
	    goto oom;
	strcpy(files[count]->n,file->d_name);......:P
	sprintf(line,"%s/%s",filename,file->d_name);   .....:P
	if (-1 == stat(line,&files[count]->s)) {
	    free(files[count]);
	    count--;
	    continue;
	}



..................................................

gdb it

Program received signal SIGSEGV, Segmentation fault.
0x4009c5eb in strlen () from /lib/libc.so.6
(gdb) bt
#0  0x4009c5eb in strlen () from /lib/libc.so.6
#1  0x4006ea53 in vfprintf () from /lib/libc.so.6
#2  0x4008866b in vsprintf () from /lib/libc.so.6
#3  0x4007632d in sprintf () from /lib/libc.so.6
#4  0x0804df44 in ls (now=1094795585, hostname=0x41414141 "",
    filename=0x41414141 "", path=0x41414141 "", length=0x41414141) at ls.c:254
#5  0x41414141 in ?? ()
#6  0x41414141 in ?? ()
#7  0x41414141 in ?? ()
#8  0x41414141 in ?? ()
#9  0x41414141 in ?? ()

....................................................

i sent a mail to kraxel@...esex.org   (2004. 2.6)

but I don't receive reply ...so ...  



2003 I have do another an working exploit for this bug..



easy to gain  ....



webfsd : i use it to upload movies.... it is clear  and fast.. 




^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
resol..

 webfsd new version(:P)

http://linux.bytesex.org/misc/webfs.html     


I don't like go to work... but i have to do it..


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ