From owner-freebsd-security Mon Jun 4 5:21:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from yeti.ismedia.pl (yeti.ismedia.pl [212.182.96.18]) by hub.freebsd.org (Postfix) with SMTP id E67DB37B401 for ; Mon, 4 Jun 2001 05:21:21 -0700 (PDT) (envelope-from venglin@freebsd.lublin.pl) Received: (qmail 16472 invoked from network); 4 Jun 2001 12:21:17 -0000 Received: from unknown (212.182.115.11) by 0 with QMTP; 4 Jun 2001 12:21:17 -0000 Received: (qmail 38424 invoked from network); 4 Jun 2001 12:21:16 -0000 Received: from unknown (unknown) by unknown with QMQP; 4 Jun 2001 12:21:16 -0000 Date: Mon, 4 Jun 2001 14:21:16 +0200 From: Przemyslaw Frasunek To: Gino Thomas Cc: security@freebsd.org Subject: Re: rpc.statd attack before ipfw activated Message-ID: <20010604142116.R3509@riget.scene.pl> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from ingram@vc-protect.net on Mon, Jun 04, 2001 at 01:05:53PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 04, 2001 at 01:05:53PM +0200, Gino Thomas wrote: > > xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n > Seems to be a typical shellcode string. It isn't 'typical' shellcode string. Bug in Linux rpc.statd is format string vulnerability, not buffer overflow. > A "typical" attackbuffer looks like this: nopnopnopnopshellcode/bin/shretretretretret Not in case of formatting vulnerabilities. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message