 | ||||
| << Previous | INDEX | Search | src / Print | Next >> |
| ||||
| |||||||||||||||
Date: Thu, 22 Feb 2007 17:15:21 -0500 (EST) From: "Steven M. Christey" <coley@mitre.org.> To: bugtraq@securityfocus.com Subject: Re[2]: Solaris telnet vulnberability - how many on your network? X-Virus-Scanned: antivirus-gw at tyumen.ru Cromar Scott said: > I know that my initial reaction was "haven't I seen this before?" > but the above two are what I found in my notes when I looked back. There are at least 20 FTP server implementations that have had buffer overflows with a long USER command. HTTP GET directory traversals are probably not that far behind. Thierry Zoller said: >a very simple exploit, which does not require any code to be compiled >by an attacker, exists. The exploit requires the attacker to simply >define the environment variable TTYPROMPT to a 6 character string, >inside telnet. I believe this overflows an integer inside login, which >specifies whether or not the user has been authenticated (just a >guess). As buffer overflow protection schemes get stronger, I would expect to see more of these "data-driven" attacks that target adjacent data instead of the stack or the heap. It's all about how important the adjacent data is and when it's accessed. The overflow in CVE-2004-1291 was used to turn a server into a spam relay, for example. Presumably, data-driven attacks are being done by Windows researchers already? I don't usually study overflows down to that level of detail. To get the same effect in Perl, you could exploit a format string vulnerability in a Perl application by causing the *printf to write to shifted arguments (see my white paper from some time back), but that's probably pretty rare in the wild for the handful of people who bother to look. - Steve
| |||||||||||||||
|
|
|
