lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200702222215.l1MMFLRD012723@faron.mitre.org>
Date: Thu, 22 Feb 2007 17:15:21 -0500 (EST)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Re[2]: Solaris telnet vulnberability - how many on your network?


Cromar Scott said:

> I know that my initial reaction was "haven't I seen this before?"
> but the above two are what I found in my notes when I looked back.

There are at least 20 FTP server implementations that have had buffer
overflows with a long USER command.  HTTP GET directory traversals are
probably not that far behind.


Thierry Zoller said:

>a very simple exploit, which does not require any code to be compiled
>by an attacker, exists. The exploit requires the attacker to simply
>define the environment variable TTYPROMPT to a 6 character string,
>inside telnet. I believe this overflows an integer inside login, which
>specifies whether or not the user has been authenticated (just a
>guess).

As buffer overflow protection schemes get stronger, I would expect to
see more of these "data-driven" attacks that target adjacent data
instead of the stack or the heap.  It's all about how important the
adjacent data is and when it's accessed.  The overflow in
CVE-2004-1291 was used to turn a server into a spam relay, for
example.  Presumably, data-driven attacks are being done by Windows
researchers already?  I don't usually study overflows down to that
level of detail.  To get the same effect in Perl, you could exploit a
format string vulnerability in a Perl application by causing the
*printf to write to shifted arguments (see my white paper from some
time back), but that's probably pretty rare in the wild for the
handful of people who bother to look.

- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ