[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: your mail
From: Olaf Kirch <okir () MONAD ! SWB ! DE>
Date: 1999-08-30 8:04:49
[Download RAW message or body]
On Fri, Aug 27, 1999 at 01:24:07AM +0200, Anonymous wrote:
> I've been browsing through the ftpd code and the overflow
> is really there. But as soon as I made some tests,
> (using CWD function), the vulnerable buffer seems
> to be out of stack space, which turns to be impossible
> to reach the return address.
The problem is that the mapped path patch does something like
#define getcwd(buffer, length) mapped_path_cwd(buffer)
#define getwd(buffer) mapped_path_cwd(buffer)
(Not sure about the exact function name).
Now, when the client does a CWD, the pwd() function does
pwd()
{
char path[MAXPATHLEN + 1];
getcwd(path, MAXPATHLEN);
...
}
There goes your stack.
FWIW, this is another example that making the stack non-executable
doesn't protect you from all kinds of stack smashing. All an attacker
needs to do is give you addresses that point into the static buffer.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic