Bugtraq mailing list archives
Re: your mail
From: okir () MONAD SWB DE (Olaf Kirch)
Date: Mon, 30 Aug 1999 10:04:49 +0200
On Fri, Aug 27, 1999 at 01:24:07AM +0200, Anonymous wrote:
I've been browsing through the ftpd code and the overflow is really there. But as soon as I made some tests, (using CWD function), the vulnerable buffer seems to be out of stack space, which turns to be impossible to reach the return address.
The problem is that the mapped path patch does something like #define getcwd(buffer, length) mapped_path_cwd(buffer) #define getwd(buffer) mapped_path_cwd(buffer) (Not sure about the exact function name). Now, when the client does a CWD, the pwd() function does pwd() { char path[MAXPATHLEN + 1]; getcwd(path, MAXPATHLEN); ... } There goes your stack. FWIW, this is another example that making the stack non-executable doesn't protect you from all kinds of stack smashing. All an attacker needs to do is give you addresses that point into the static buffer. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir () caldera de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
Current thread:
- Re: your mail Olaf Kirch (Aug 30)
- <Possible follow-ups>
- Re: your mail Volker Borchert (Sep 01)