Re: compress(vul) + ftpd(?)
From: Pavel Kankovsky (peak@argo.troja.mff.cuni.cz)Date: 03/11/02
- Previous message: david evlis reign: "off by one in pppd"
- In reply to: H D Moore: "Re: compress(vul) + ftpd(?)"
- Next in thread: Gushterul: "Re: compress(vul) + ftpd(?)"
- Next in thread: HypH: "Re: compress(vul) + ftpd(?)"
- Reply: Gushterul: "Re: compress(vul) + ftpd(?)"
- Reply: H D Moore: "Re: compress(vul) + ftpd(?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 11 Mar 2002 11:35:09 +0100 (MET) From: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> To: H D Moore <sflist@digitaloffense.net>
On Sat, 9 Mar 2002, H D Moore wrote:
> ftp> mkdir A<254 * 0x90>
> ftp> cd A*
[...]
> ftp> put <reallysmallscode>
> ftp> cd ../../../../
> ftp> get A*/B*/C*/D*/reallysmallscode.Z
Afaik this won't work because glob() does not expand the path unless a file
matching the *complete* pattern exists. But if x.Z exists, "get x.Z" will
not run compress. Fortunately, we do not get Catch 22 because there is a
nice race condition there. To make things better, wu-ftpd appears to
compute all filenames matching a pattern during wildcard expansion and
drops everything but the first entry of the list afterwards, ie. it is
possible to make the delay much longer and easier to exploit.
> > BTW: This is an ANCIENT problem.
> You would think it would have been fixed by now ;)
Oh really? ;)
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
- Previous message: david evlis reign: "off by one in pppd"
- In reply to: H D Moore: "Re: compress(vul) + ftpd(?)"
- Next in thread: Gushterul: "Re: compress(vul) + ftpd(?)"
- Next in thread: HypH: "Re: compress(vul) + ftpd(?)"
- Reply: Gushterul: "Re: compress(vul) + ftpd(?)"
- Reply: H D Moore: "Re: compress(vul) + ftpd(?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
