hm, i still don't get it: the daemon has to answer to "dir" too, doesn't he? the sole reason that "ls is a unix utility" does not make sense in this context. "ls" and "dir" are not vulnerable here, sure, but this still does not explain why smbd acts different here. i've played around with tcpdump and strace here. the tcpdump looks very similiar, the smbd's answer to "ls" is much shorter, as "strace" reveals.
I've obviously done a poor job of explaining the problem then.
When you do a "dir", you are making a call that the daemon has to respond to. The daemon is vulnerable, so when you make a "dir" request with the specific parameters that overflow the buffer in the daemon, it crashes.
When you do an "ls", you are making a call that the *os* has to respond to. The os is *not* vulnerable, so it (properly) rejects the request as malformed.
Hopefully that makes more sense to you.
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
