|
|
BugTraq
Microsoft FTP Client Multiple Bufferoverflow Vulnerability Nov 28 2007 06:12AM Rajesh Sethumadhavan (rajesh sethumadhavan yahoo com) (1 replies) Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability Nov 29 2007 11:46AM 3APA3A (3APA3A SECURITY NNOV RU) (1 replies) Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability Nov 29 2007 10:19PM Valdis Kletnieks vt edu (3 replies) Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability Nov 30 2007 08:44AM Vincent Archer (varcher denyall com) Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability Nov 29 2007 11:09PM Steve Shockley (steve shockley shockley net) (1 replies) Re[2]: Microsoft FTP Client Multiple Bufferoverflow Vulnerability Nov 30 2007 12:18AM Matthew Leeds (mleeds theleeds net) |
|
Privacy Statement |
--Friday, November 30, 2007, 1:19:49 AM, you wrote to 3APA3A (at) SECURITY.NNOV (dot) RU [email concealed]:
>> An attacker who can convince an user to extract a specially crafted
>> archive can overwrite arbitrary files with the permissions of the user
>> running gtar. If that user is root, the attacker can overwrite any
>> file on the system.
VKve> Apparently, somebody at FreeBSD thinks "can be exploited if you trick the
VKve> user into doing something" is a valid attack vector.
This is valid factor. The difference is, if you can force user to
extract archive, you need vulnerability in gtar in order to exploit. If
you can force user to run executable script, you need no vulnerability
in FTP client to exploit this.
--
~/ZARAZA http://securityvulns.com/
Íåïðèÿòíîñòè íà÷íóòñÿ â âîñåìü. (Òâåí)
[ reply ]