Vulnerability Development mailing list archives

Re: compress(vul) + ftpd(?)

From: "Pavel Kankovsky" <peak () argo troja mff cuni cz>
Date: Sun, 10 Mar 2002 00:48:23 +0100 (MET)

On Thu, 7 Mar 2002, H D Moore wrote:

On Thursday 07 March 2002 09:30 am, HypH wrote:

On Thu  7. March 2002 15:18, H D Moore wrote:

YES.  wu-ftpd will call compress with the file name as an argument if you
request the file name ending in .Z. You have to be able to write out a
file name containing the shell code to exploit the bug.


The problem is that the file have to be 1100 chars long , with the
shellcode within. But wu-ftpd doesn`t allow/handle so long filenames.


Hmm.. What about splitting the shellcode into different directories and the 
requesting the full path to the file (directories and all) ending in .Z?


The total length of command is limited. I think one could fool it using a
race between wildcard expansion and the code deciding whether compress
should be run: you create shellcode.Z, send "get shell*.Z", and rename
shellcode.Z to shellcode at the right moment.

BTW: This is an ANCIENT problem.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Current thread:

compress(vul) + ftpd(?) HypH (Mar 05)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
- Message not available
  - Re: compress(vul) + ftpd(?) HypH (Mar 07)
    - Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
    - Re: compress(vul) + ftpd(?) HypH (Mar 09)
    - Re: compress(vul) + ftpd(?) KF (Mar 09)
    - Re: compress(vul) + ftpd(?) HypH (Mar 09)
    - Re: compress(vul) + ftpd(?) Pavel Kankovsky (Mar 09)
    - Re: compress(vul) + ftpd(?) H D Moore (Mar 10)
    - Re: compress(vul) + ftpd(?) Pavel Kankovsky (Mar 11)
    - Re: compress(vul) + ftpd(?) H D Moore (Mar 12)
    - Re: compress(vul) + ftpd(?) Gushterul (Mar 12)
    - Re: compress(vul) + ftpd(?) HypH (Mar 11)
    - Re: compress(vul) + ftpd(?) Mats Linander (Mar 11)