Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 3 Dec 2001 11:26:20 +0100 (CET)
From:      Konrad Heuer <kheuer@gwdu60.gwdg.de>
To:        Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Cc:        freebsd-security@freebsd.org
Subject:   Re: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability (fwd)
Message-ID:  <20011203112522.J1350-100000@gwdu60.gwdg.de>
In-Reply-To: <200112011125.fB1BPjf74314@mailhost.freebsd.lublin.pl>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Sat, 1 Dec 2001, Przemyslaw Frasunek wrote:

> On Friday 30 November 2001 09:53, Konrad Heuer wrote:
> > Any opinions whether wu-ftpd on FreeBSD is vulnerable too? To my mind, =
it
> > seems so.
>
> actually, wu-ftpd on FreeBSD is vulnerable, but phk-malloc design prevent=
s
> from exploiting this. typical scenario of exploitation on linux box is:
>
> - attacker populates heap with pointers to proctitle buf by calling few t=
imes
> 'STAT ~{ptrptrptrptr'
>
> - after that, attacker does 'STAT {~' which calls two times blockfree() i=
n
> ftpglob() and malicious 'ptr' is passed to free()
>
> - in proctitle buf there is a fake malloc chunk, pointing to syslog() GOT
> entry and shellcode, also located in proctitle buf
>
> - free() when trying to deallocate fake chunk overwrites pointer to syslo=
g()
> function and then segfaults
>
> - segfault sighandler calls syslog() and shellcode is executed
>
> as you can see, exploitation of this vulnerability isn't so simple. after
> spending long hours with gdb, looks like it's exploitable only on dlmallo=
c
> from glibc.

Thank you very much for your help which made a patch possible!

Best regards
Konrad

Konrad Heuer                                    Personal Bookmarks:
Gesellschaft f=FCr wissenschaftliche
   Datenverarbeitung mbH G=D6ttingen              http://www.freebsd.org
Am Fa=DFberg, D-37077 G=D6ttingen                   http://www.daemonnews.o=
rg
Deutschland (Germany)

kheuer@gwdu60.gwdg.de


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011203112522.J1350-100000>