Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug

fbsd_at_w88trigger.com
Date: 07/31/03 

To: <polytarp@cyberspace.org>, <mike@sentex.net>
Date: Thu, 31 Jul 2003 14:41:46 -0700

Did you read Mike's email!? Sure, a different compiler and OS
can make buffer overflows not work, but that does not mean the
buffer overflow does not exist on a different system. The
buffer overflow MAY still exist and MAY still be exploitable
using different exploit code (as Mike stated in his email).

On Thursday 31 July 2003 14:31, polytarp@cyberspace.org wrote:
> On Thu, 31 Jul 2003 mike@sentex.net wrote:
> > At 02:40 PM 31/07/2003 -0400, polytarp@cyberspace.org wrote:
> > >Buffer overflows which work on Linux do not work on
> > > FreeBSD.
> >
> > You need to qualify that statement. Yes, there are some
> > that will not be relevant and the exact same exploit code
> > will not work. But "Buffer overflows which work on Linux
> > do not work on FreeBSD" is dangerously misleading.... In the
> > case of wu-ftpd there have been several issues in the past
> > that affected both FreeBSD and Linux. Same bug, different
> > exploit code, both vulnerable. That being said, I havent
> > had a chance to review this one so I dont know.
>
> No, you're wrong. Even a different COMPILER -- let alone a
> different OPERATING SYSTEM -- can make buffer overflows not
> work.
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe@freebsd.org"

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Relevant Pages

  • Re: GLIBC_2.4
    ... A buggy application (buffer overflow in Firefox...) or an evil bit of ... JavaScript could be used by a "virus" to install a trojan in $HOME/bin. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: [PATCH 2.6.13-rc2-mm2 5/7] v9fs: 9P protocol implementation (2.0.2)
    ... "handling" a buffer overflow with a printk doesn't seem appopinquate. ... To unsubscribe from this list: send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)
  • Re: Nasm 0.99.00
    ... "snprintf" to get rid of a buffer overflow). ... constantly having to convert snprintf() code for DJGPP. ... char arr; ... so, yeah, if I ever do get my compiler functional, likely at least some ...
    (alt.lang.asm)
  • Re: How to develop a random number generation device
    ... buffer overflow ...] ... The linker is not the same program in any environment I have ever heard of - but it is generally *called* by the compiler automatically, so it just looks like it is part of the compiler. ... The point is, any linking issues are handled by linking directives and not by anything you give to the compiler. ... The link-loader is a different animal altogether - it is what the operating system uses to actually load and run a program. ...
    (sci.electronics.design)
  • Re: bare bones file encrypter/decrypter using 128 bit Serpent algorithm
    ... if not producing any warnings is sufficient to prove a program is bug free then here is my implementation in standard C of the "Do whatever you want" program. ... misuse strncpy, you don't seed rand(). ... Such as a buffer overflow even if the user followed the instructions. ... and in fact they cannot because the compiler does not know what you intend only what you tell it. ...
    (comp.lang.c)
Quantcast