Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: your mail

From: okir () MONAD SWB DE (Olaf Kirch)
Date: Mon, 30 Aug 1999 10:04:49 +0200

On Fri, Aug 27, 1999 at 01:24:07AM +0200, Anonymous wrote:

I've been browsing through the ftpd code and the overflow
is really there. But as soon as I made some tests,
(using CWD function), the vulnerable buffer seems
to be out of stack space, which turns to be impossible
to reach the return address.


The problem is that the mapped path patch does something like

        #define getcwd(buffer, length)  mapped_path_cwd(buffer)
        #define getwd(buffer)           mapped_path_cwd(buffer)

(Not sure about the exact function name).

Now, when the client does a CWD, the pwd() function does

pwd()
{
        char path[MAXPATHLEN + 1];

        getcwd(path, MAXPATHLEN);
        ...
}

There goes your stack.

FWIW, this is another example that making the stack non-executable
doesn't protect you from all kinds of stack smashing. All an attacker
needs to do is give you addresses that point into the static buffer.

Olaf

--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.
Previous By Date Next
Previous By Thread Next

Current thread: