[Full-disclosure] QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer overflow
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Fri Mar 16 01:36:12 GMT 2007
On Thu, 15 Mar 2007 21:12:50 BST, =?ISO-8859-1?Q?Knud_Erik_H=F8jgaard?= said:
> On 3/15/07, starcadi starcadi <starcadi at gmail.com> wrote:
>
> > >> POC
> yes, piece of crap. Who cares about local overflows in non-suid applications?
It can be interesting if you can find a way to get some *other* user to
run the application - so if you can find a web server that has a CGI that
invokes QFTP (or whatever) with attacker-controlled parameters, you can use
that to pwn the webserver. Basically, you need to be able to leverage the
distinction between "yourself" and "the userid executing the program".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070315/b07a5fc5/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.