YES. wu-ftpd will call compress with the file name as an argument if you
request the file name ending in .Z. You have to be able to write out a file
name containing the shell code to exploit the bug. I mentioned the compress
bug back in 1998 and again in 2000, it finally got fixed on some of the newer
SuSE releases (not sure about Red Hat, I dont use it).

See: http://msgs.securepoint.com/cgi-bin/get/bugtraq0003/179.html

Another fun one is tar, the --use-compress-program option might be
exploitable under wu-ftpd as well, although I cant think of a way to do it
offhand.

On Tuesday 05 March 2002 07:43 am, HypH wrote:
> [hyphport ~]$ rpm -qf `which compress`
> ncompress-4.2.4-21
> [hyphport ~]$ compress `perl -e 'print "A" x 1100'`
> Segmentation fault (core dumped)
> [hyphport ~]$gdb compress core
> eip 0x41414141 0x41414141 <--- :-))
> Compress isn`t suid so it gives us no benefit. And here`s my question:
> Is there any way to force the ftpd to 'compress' a file before sending it,
> from the client`s side. I`m asking for this particular daemon because of
> this:
> -rwxr-xr-x 2 root root 16k gru 12 2000 compress <-- :-))
>
> The benefits would be obvious.
>
> Sorry if it`s a known bug/vulnerability (but I`ve never heared `bout it
> before)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]