|
The patches have been available over a week now. I think that is long
enough.
On the 1st of December Przemyslaw Frasunek (venglin@freebsd.lublin.pl)
wrote something about getting a wu-ftpd exploit working. The problem he
was having was to do with the following macro:
#define arena_for_ptr(ptr) \
(((mchunkptr)(ptr) < top(&main_arena) && (char *)(ptr) >= sbrk_base) ? \
&main_arena : heap_for_ptr(ptr)->ar_ptr)
He worked around it by making a hacked up version of the malloc function.
My solution: put the chunk on the heap between sbrk_base and the top value
of the main_arena.
How? Get the chunk malloc()ed and stored there, then brute force it. (The
exact position varies depending on a whole lot of things, and brute
forcing is nice for system admins. They have pretty good evidence that
there has been an attack. ;])
-- zen-parse
P.S. Apparently there are earlier versions of this exploit floating
around. Many of them are even buggier than this one, and all some of them
will do is add a few hundred K to the log files.
P.P.S Sorry, but it was too much temptation to resist posting it as
wu261.c. The program is a wrapper for the archive.
--
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.
If this message was posted by zen-parse@gmx.net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.
|
