[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050219201458.12943.qmail@www.securityfocus.com>
Date: 19 Feb 2005 20:14:58 -0000
From: yan feng <jsk@...nt0m.net>
To: bugtraq@...urityfocus.com
Subject: webfsd fun. opensource is god .lol windows
webfsd fun. opensource is god .lol windows
pst.security advisory 2005-2-20
Systems affected:
unstable webfsd 1.21
stable wenfsd 1.17.2
no affected
no..all remote exploitable
1: why advisory? this bug is found two years ago ,yeach, debian and webfsd coder can't path this hehe...:P it is no problem... this is not power ...so pub it
2: Description:
all webfsd can be remote exploit easily by writeable dir...
see gdb ..:P
problem is in ls.c.... i don't want to path it..hehe
static char*
ls(time_t now, char *hostname, char *filename, char *path, int *length)
{
DIR *dir;
struct dirent *file;
struct myfile **files = NULL;
struct myfile **re1;
char *h1,*h2,*re2,*buf = NULL;
int count,len,size,i,uid,gid;
char line[1024];
char *pw = NULL, *gr = NULL;
if (debug)
fprintf(stderr,"dir: reading %s\n",filename);
if (NULL == (dir = opendir(filename)))
return NULL;
/* read dir */
uid = getuid();
gid = getgid();
for (count = 0;; count++) {
if (NULL == (file = readdir(dir)))
break;
if (0 == strcmp(file->d_name,".")) {
/* skip the the "." directory */
count--;
continue;
}
if (0 == strcmp(path,"/") && 0 == strcmp(file->d_name,"..")) {
/* skip the ".." directory in root dir */
count--;
continue;
}
if (0 == (count % 64)) {
re1 = realloc(files,(count+64)*sizeof(struct myfile*));..... it is not good code tips.:P
if (NULL == re1)
goto oom;
files = re1;
}
files[count] = malloc(strlen(file->d_name)+sizeof(struct myfile));
if (NULL == files[count])
goto oom;
strcpy(files[count]->n,file->d_name);......:P
sprintf(line,"%s/%s",filename,file->d_name); .....:P
if (-1 == stat(line,&files[count]->s)) {
free(files[count]);
count--;
continue;
}
..................................................
gdb it
Program received signal SIGSEGV, Segmentation fault.
0x4009c5eb in strlen () from /lib/libc.so.6
(gdb) bt
#0 0x4009c5eb in strlen () from /lib/libc.so.6
#1 0x4006ea53 in vfprintf () from /lib/libc.so.6
#2 0x4008866b in vsprintf () from /lib/libc.so.6
#3 0x4007632d in sprintf () from /lib/libc.so.6
#4 0x0804df44 in ls (now=1094795585, hostname=0x41414141 "",
filename=0x41414141 "", path=0x41414141 "", length=0x41414141) at ls.c:254
#5 0x41414141 in ?? ()
#6 0x41414141 in ?? ()
#7 0x41414141 in ?? ()
#8 0x41414141 in ?? ()
#9 0x41414141 in ?? ()
....................................................
i sent a mail to kraxel@...esex.org (2004. 2.6)
but I don't receive reply ...so ...
2003 I have do another an working exploit for this bug..
easy to gain ....
webfsd : i use it to upload movies.... it is clear and fast..
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
resol..
webfsd new version(:P)
http://linux.bytesex.org/misc/webfs.html
I don't like go to work... but i have to do it..
Powered by blists - more mailing lists