Re: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability (fwd)

From: Konrad Heuer (kheuer@gwdu60.gwdg.de)
Date: 12/03/01

• Next message: SSpoint@excIte.com: "**STOCK ALERT - GASE** IMPORTANT QIA"
• Previous message: Alfred Perlstein: "Re: philosophical question..."
• In reply to: Przemyslaw Frasunek: "Re: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 3 Dec 2001 11:26:20 +0100 (CET)
From: Konrad Heuer <kheuer@gwdu60.gwdg.de>
To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>

On Sat, 1 Dec 2001, Przemyslaw Frasunek wrote:

> On Friday 30 November 2001 09:53, Konrad Heuer wrote:
> > Any opinions whether wu-ftpd on FreeBSD is vulnerable too? To my mind, it
> > seems so.
>
> actually, wu-ftpd on FreeBSD is vulnerable, but phk-malloc design prevents
> from exploiting this. typical scenario of exploitation on linux box is:
>
> - attacker populates heap with pointers to proctitle buf by calling few times
> 'STAT ~{ptrptrptrptr'
>
> - after that, attacker does 'STAT {~' which calls two times blockfree() in
> ftpglob() and malicious 'ptr' is passed to free()
>
> - in proctitle buf there is a fake malloc chunk, pointing to syslog() GOT
> entry and shellcode, also located in proctitle buf
>
> - free() when trying to deallocate fake chunk overwrites pointer to syslog()
> function and then segfaults
>
> - segfault sighandler calls syslog() and shellcode is executed
>
> as you can see, exploitation of this vulnerability isn't so simple. after
> spending long hours with gdb, looks like it's exploitable only on dlmalloc
> from glibc.

Thank you very much for your help which made a patch possible!

Best regards
Konrad

Konrad Heuer Personal Bookmarks:
Gesellschaft für wissenschaftliche
   Datenverarbeitung mbH GÖttingen http://www.freebsd.org
Am Faßberg, D-37077 GÖttingen http://www.daemonnews.org
Deutschland (Germany)

kheuer@gwdu60.gwdg.de

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: SSpoint@excIte.com: "**STOCK ALERT - GASE** IMPORTANT QIA"
• Previous message: Alfred Perlstein: "Re: philosophical question..."
• In reply to: Przemyslaw Frasunek: "Re: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability (fwd) ... > Any opinions whether wu-ftpd on FreeBSD is vulnerable too? ... exploitation of this vulnerability isn't so simple. ... (FreeBSD-Security) Re: Fwd: [is this mbuf problem real?] ... >information from iDEFENSE. ... >FreeBSD Memory Buffer Exhaustion Denial of Service Vulnerability ... Remote exploitation of a denial of service ... (freebsd-net) [NT] Ipswitch IMail IMAP Vulnerabilities (Multiple Buffer Overflow, Multiple DoS, Directory Traversa ... A directory Traversal vulnerability also was found, ... attackers to remotely view files on the server. ... Remote exploitation of a denial of service vulnerability in Ipswitch ... (Securiteam) [NEWS] OpenSSH Challenge-Response Buffer Overflow (Update) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... the platforms on which this vulnerability may be exploited. ... their platforms invulnerable to exploitation. ... Mandrake Secure Linux: ... (Securiteam) [Full-disclosure] iDefense Security Advisory 09.23.06: FreeBSD i386_set_ldt Integer Overflow Vul ... FreeBSD i386_set_ldt Integer Overflow Vulnerability ... iDefense has confirmed the existence of this problem in FreeBSD 5.5. ... The policy of the FreeBSD Security Team is that local denial of service bugs ... (Full-Disclosure)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint