OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: ftpd bug in FreeBSD through at least 3.4
From: Dave McKay (davemu.org)
Date: Tue Oct 03 2000 - 03:38:15 CDT


Brett,

This bug was a non-issue from the start, why did you have to drag your results on
to the list? Wasn't it apparent after Warner said that they no longer support
older releases of FreeBSD due to resource shortness that the thread was pointless?

My second rant is, have you ever noticed WHENEVER you write into the list its ALWAYS
the longest current thread running within a VERY short time? Do you think this is
because of your genius in the BSD OS field? Or perhaps its due to your keen wits
being always about you when you write in. Please, and I mean this, DIE.

Brett Glass (brettlariat.org) wrote:
> At 03:39 PM 10/2/2000, Kris Kennaway wrote:
>
> >No, I think your client is expanding the %s locally and sending the
> >junk to the server.
>
> Kris:
>
> I think you may be right here! The client may also be expanding the
> %s on the way BACK from the server. If this is the case, it is
> more serious because it means that a malicious server might be
> able to take over the client.
>
> I am checking to see if there are holes in the server, too. So
> far, when I send the same strings to the server using good ol'
> Telnet the server seems to respond pretty much correctly. There
> are still some minor server glitches: Some error messages are sent
> twice instead of once, the command is always changed to all uppercase
> up to the first whitespace and then echoed back with this modification,
> and trailing whitespace at the ends of commands is not ignored. But
> while these things could use fixing, none of them are exploitable.
>
> --Brett
>
>
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Dave McKay
Network Engineer - Google Inc.
davemu.org - davegoogle.com

To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message