Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability

From: Steve Shockley <steve.shockley@shockley.net>
To: bugtraq@securityfocus.com
Cc:
Subject: Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability
Date:


Valdis.Kletnieks@vt.edu wrote:
>> An attacker who can convince an user to extract a specially crafted
>> archive can overwrite arbitrary files with the permissions of the user
>> running gtar.  If that user is root, the attacker can overwrite any
>> file on the system.
> 
> Apparently, somebody at FreeBSD thinks "can be exploited if you trick the
> user into doing something" is a valid attack vector.

The difference is that I'd be surprised when I got 0wned by unpacking an 
archive, and not all that surprised when I got 0wned by running a random 
executable (script) file.





Copyright © 1995-2020 LinuxRocket.net. All rights reserved.