webfsd fun. opensource is god .lol windows

2005-02-20T00:00:00
ID SECURITYVULNS:DOC:7872
Type securityvulns
Reporter Securityvulns
Modified 2005-02-20T00:00:00

Description

                      webfsd fun. opensource is god .lol windows


                            pst.security advisory 2005-2-20

Systems affected: unstable webfsd 1.21 stable wenfsd 1.17.2

no affected

no..all remote exploitable

1: why advisory? this bug is found two years ago ,yeach, debian and webfsd coder can't path this hehe...:P it is no problem... this is not power ...so pub it

2: Description: all webfsd can be remote exploit easily by writeable dir...

see gdb ..:P

problem is in ls.c.... i don't want to path it..hehe

static char ls(time_t now, char hostname, char filename, char path, int length) { DIR dir; struct dirent file; struct myfile files = NULL; struct myfile re1; char h1,h2,re2,buf = NULL; int count,len,size,i,uid,gid; char line[1024]; char pw = NULL, *gr = NULL;

if (debug)
    fprintf(stderr,"dir: reading %s\n",filename);
if (NULL == (dir = opendir(filename)))
    return NULL;

/* read dir */
uid = getuid();
gid = getgid();
for (count = 0;; count++) {
    if (NULL == (file = readdir(dir)))
        break;
    if (0 == strcmp(file->d_name,".")) {
        /* skip the the "." directory */
        count--;
        continue;
    }
    if (0 == strcmp(path,"/") && 0 == strcmp(file->d_name,"..")) {
        /* skip the ".." directory in root dir */
        count--;
        continue;
    }

    if (0 == (count % 64)) {
        re1 = realloc(files,(count+64)*sizeof(struct myfile*));.....  it is not good

code tips.:P if (NULL == re1) goto oom; files = re1; }

    files[count] = malloc(strlen(file->d_name)+sizeof(struct myfile));
    if (NULL == files[count])
        goto oom;
    strcpy(files[count]->n,file->d_name);......:P
    sprintf(line,"%s/%s",filename,file->d_name);   .....:P
    if (-1 == stat(line,&files[count]->s)) {
        free(files[count]);
        count--;
        continue;
    }

..................................................

gdb it

Program received signal SIGSEGV, Segmentation fault. 0x4009c5eb in strlen () from /lib/libc.so.6 (gdb) bt

0 0x4009c5eb in strlen () from /lib/libc.so.6

1 0x4006ea53 in vfprintf () from /lib/libc.so.6

2 0x4008866b in vsprintf () from /lib/libc.so.6

3 0x4007632d in sprintf () from /lib/libc.so.6

4 0x0804df44 in ls (now=1094795585, hostname=0x41414141 "",

filename=0x41414141 "", path=0x41414141 "", length=0x41414141) at ls.c:254

5 0x41414141 in ?? ()

6 0x41414141 in ?? ()

7 0x41414141 in ?? ()

8 0x41414141 in ?? ()

9 0x41414141 in ?? ()

....................................................

i sent a mail to kraxel@bytesex.org (2004. 2.6)

but I don't receive reply ...so ...

2003 I have do another an working exploit for this bug..

easy to gain ....

webfsd : i use it to upload movies.... it is clear and fast..

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ resol..

webfsd new version(:P)

http://linux.bytesex.org/misc/webfs.html

I don't like go to work... but i have to do it..