webfsd fun. opensource is god .lol windows

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: webfsd fun. opensource is god .lol windows
From: yan feng <jsk@xxxxxxxxxxx>
Date: 19 Feb 2005 20:14:58 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


                          webfsd fun. opensource is god .lol windows


                                pst.security advisory 2005-2-20


Systems affected:
unstable webfsd 1.21
stable wenfsd 1.17.2


no affected


no..all remote exploitable



1:  why advisory?  this bug is found two years ago ,yeach, debian   and webfsd 
coder can't path this   hehe...:P   it is no problem...  this  is not power 
...so pub it


2:  Description:
all webfsd can be remote exploit easily by writeable dir...

see gdb ..:P

problem  is in ls.c....   i don't want to path it..hehe 


static char* 
ls(time_t now, char *hostname, char *filename, char *path, int *length)
{
    DIR            *dir;
    struct dirent  *file;
    struct myfile  **files = NULL;
    struct myfile  **re1;
    char           *h1,*h2,*re2,*buf = NULL;
    int            count,len,size,i,uid,gid;
    char           line[1024];
    char           *pw = NULL, *gr = NULL;

    if (debug)
        fprintf(stderr,"dir: reading %s\n",filename);
    if (NULL == (dir = opendir(filename)))
        return NULL;

    /* read dir */
    uid = getuid();
    gid = getgid();
    for (count = 0;; count++) {
        if (NULL == (file = readdir(dir)))
            break;
        if (0 == strcmp(file->d_name,".")) {
            /* skip the the "." directory */
            count--;
            continue;
        }
        if (0 == strcmp(path,"/") && 0 == strcmp(file->d_name,"..")) {
            /* skip the ".." directory in root dir */
            count--;
            continue;
        }

        if (0 == (count % 64)) {
            re1 = realloc(files,(count+64)*sizeof(struct myfile*));.....  it is 
not good code tips.:P
            if (NULL == re1)
                goto oom;
            files = re1;
        }

        files[count] = malloc(strlen(file->d_name)+sizeof(struct myfile));
        if (NULL == files[count])
            goto oom;
        strcpy(files[count]->n,file->d_name);......:P
        sprintf(line,"%s/%s",filename,file->d_name);   .....:P
        if (-1 == stat(line,&files[count]->s)) {
            free(files[count]);
            count--;
            continue;
        }



..................................................

gdb it

Program received signal SIGSEGV, Segmentation fault.
0x4009c5eb in strlen () from /lib/libc.so.6
(gdb) bt
#0  0x4009c5eb in strlen () from /lib/libc.so.6
#1  0x4006ea53 in vfprintf () from /lib/libc.so.6
#2  0x4008866b in vsprintf () from /lib/libc.so.6
#3  0x4007632d in sprintf () from /lib/libc.so.6
#4  0x0804df44 in ls (now=1094795585, hostname=0x41414141 "",
    filename=0x41414141 "", path=0x41414141 "", length=0x41414141) at ls.c:254
#5  0x41414141 in ?? ()
#6  0x41414141 in ?? ()
#7  0x41414141 in ?? ()
#8  0x41414141 in ?? ()
#9  0x41414141 in ?? ()

....................................................

i sent a mail to kraxel@xxxxxxxxxxx   (2004. 2.6)

but I don't receive reply ...so ...  



2003 I have do another an working exploit for this bug..



easy to gain  ....



webfsd : i use it to upload movies.... it is clear  and fast.. 




^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
resol..

 webfsd new version(:P)

http://linux.bytesex.org/misc/webfs.html     


I don't like go to work... but i have to do it..

Prev by Date: [Hat-Squad] Findjmp2 Tool
Next by Date: cfengine rsa heap remote exploit: part of PTjob project
Previous by thread: [Hat-Squad] Findjmp2 Tool
Next by thread: cfengine rsa heap remote exploit: part of PTjob project
Index(es):
- Date
- Thread