[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: your mail
From:       Olaf Kirch <okir () MONAD ! SWB ! DE>
Date:       1999-08-30 8:04:49
[Download RAW message or body]

On Fri, Aug 27, 1999 at 01:24:07AM +0200, Anonymous wrote:
> I've been browsing through the ftpd code and the overflow
> is really there. But as soon as I made some tests,
> (using CWD function), the vulnerable buffer seems
> to be out of stack space, which turns to be impossible
> to reach the return address.

The problem is that the mapped path patch does something like

	#define getcwd(buffer, length)	mapped_path_cwd(buffer)
	#define getwd(buffer)		mapped_path_cwd(buffer)

(Not sure about the exact function name).

Now, when the client does a CWD, the pwd() function does

pwd()
{
	char path[MAXPATHLEN + 1];

	getcwd(path, MAXPATHLEN);
	...
}

There goes your stack.

FWIW, this is another example that making the stack non-executable
doesn't protect you from all kinds of stack smashing. All an attacker
needs to do is give you addresses that point into the static buffer.

Olaf
--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

[prev in list] [next in list] [prev in thread] [next in thread]