From owner-freebsd-security  Mon Dec  3  2:26:34 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.98.60])
	by hub.freebsd.org (Postfix) with ESMTP id 4B81237B41B
	for <freebsd-security@freebsd.org>; Mon,  3 Dec 2001 02:26:30 -0800 (PST)
Received: from localhost (kheuer@localhost)
	by gwdu60.gwdg.de (8.11.6/8.11.6) with ESMTP id fB3AQLN01352;
	Mon, 3 Dec 2001 11:26:25 +0100 (CET)
	(envelope-from kheuer@gwdu60.gwdg.de)
Date: Mon, 3 Dec 2001 11:26:20 +0100 (CET)
From: Konrad Heuer <kheuer@gwdu60.gwdg.de>
To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Cc: freebsd-security@freebsd.org
Subject: Re: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability
 (fwd)
In-Reply-To: <200112011125.fB1BPjf74314@mailhost.freebsd.lublin.pl>
Message-ID: <20011203112522.J1350-100000@gwdu60.gwdg.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Sat, 1 Dec 2001, Przemyslaw Frasunek wrote:

> On Friday 30 November 2001 09:53, Konrad Heuer wrote:
> > Any opinions whether wu-ftpd on FreeBSD is vulnerable too? To my mind, =
it
> > seems so.
>
> actually, wu-ftpd on FreeBSD is vulnerable, but phk-malloc design prevent=
s
> from exploiting this. typical scenario of exploitation on linux box is:
>
> - attacker populates heap with pointers to proctitle buf by calling few t=
imes
> 'STAT ~{ptrptrptrptr'
>
> - after that, attacker does 'STAT {~' which calls two times blockfree() i=
n
> ftpglob() and malicious 'ptr' is passed to free()
>
> - in proctitle buf there is a fake malloc chunk, pointing to syslog() GOT
> entry and shellcode, also located in proctitle buf
>
> - free() when trying to deallocate fake chunk overwrites pointer to syslo=
g()
> function and then segfaults
>
> - segfault sighandler calls syslog() and shellcode is executed
>
> as you can see, exploitation of this vulnerability isn't so simple. after
> spending long hours with gdb, looks like it's exploitable only on dlmallo=
c
> from glibc.

Thank you very much for your help which made a patch possible!

Best regards
Konrad

Konrad Heuer                                    Personal Bookmarks:
Gesellschaft f=FCr wissenschaftliche
   Datenverarbeitung mbH G=D6ttingen              http://www.freebsd.org
Am Fa=DFberg, D-37077 G=D6ttingen                   http://www.daemonnews.o=
rg
Deutschland (Germany)

kheuer@gwdu60.gwdg.de


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message