From owner-freebsd-security Sat Dec 1 3:26:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost.freebsd.lublin.pl (mailhost.freebsd.lublin.pl [212.182.115.12]) by hub.freebsd.org (Postfix) with ESMTP id CCB1937B405 for ; Sat, 1 Dec 2001 03:26:16 -0800 (PST) Received: (from root@localhost) by mailhost.freebsd.lublin.pl (8.11.6/8.11.4) id fB1BQ5J74325; Sat, 1 Dec 2001 12:26:05 +0100 (CET) (envelope-from venglin@freebsd.lublin.pl) Received: from there (IDENT:venglin@clitoris.czuby.net [212.182.126.2]) by mailhost.freebsd.lublin.pl (8.11.6/8.11.4av) with SMTP id fB1BPjf74314; Sat, 1 Dec 2001 12:25:55 +0100 (CET) (envelope-from venglin@freebsd.lublin.pl) Message-Id: <200112011125.fB1BPjf74314@mailhost.freebsd.lublin.pl> Content-Type: text/plain; charset="iso-8859-2" From: Przemyslaw Frasunek Organization: czuby.net To: Konrad Heuer , freebsd-security@freebsd.org Subject: Re: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability (fwd) Date: Sat, 1 Dec 2001 12:25:44 +0100 X-Mailer: KMail [version 1.3.1] References: <20011130095138.F55193-100000@gwdu60.gwdg.de> In-Reply-To: <20011130095138.F55193-100000@gwdu60.gwdg.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday 30 November 2001 09:53, Konrad Heuer wrote: > Any opinions whether wu-ftpd on FreeBSD is vulnerable too? To my mind, it > seems so. actually, wu-ftpd on FreeBSD is vulnerable, but phk-malloc design prevents from exploiting this. typical scenario of exploitation on linux box is: - attacker populates heap with pointers to proctitle buf by calling few times 'STAT ~{ptrptrptrptr' - after that, attacker does 'STAT {~' which calls two times blockfree() in ftpglob() and malicious 'ptr' is passed to free() - in proctitle buf there is a fake malloc chunk, pointing to syslog() GOT entry and shellcode, also located in proctitle buf - free() when trying to deallocate fake chunk overwrites pointer to syslog() function and then segfaults - segfault sighandler calls syslog() and shellcode is executed as you can see, exploitation of this vulnerability isn't so simple. after spending long hours with gdb, looks like it's exploitable only on dlmalloc from glibc. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message