[Previo por Fecha] [Siguiente por Fecha] [Previo por Hilo] [Siguiente por Hilo]
[Hilos de Discusión] [Fecha] [Tema] [Autor]Saludos... Edgar... -- ... todo puede fallar, tu no... ---------- Forwarded message ---------- Date: Mon, 14 May 2001 21:21:47 +0200 From: Sylwester Zarêbski <sylwek en tornet pl> To: bugtraq en securityfocus com Subject: Re: RH7.0: man local gid 15 (man) exploit [UNCONFIRMED] Sunday, May 13, 2001, 10:07:34 PM, zenith napisa³(a): > ======================================================== > Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default > package) and earlier. > ========================================================= > Heap Based Overflow of man via -S option gives GID man. > Due to a slight error in a length check, the -S option to > man can cause a buffer overflow on the heap, allowing redirection of execution into user supplied code. > man -S `perl -e 'print ":" x 100'` Confirmed: $ man -S `perl -e 'print ":" x 100'` sometext Segmentation fault > Will cause a seg fault if you are vulnerable. > It is possible to insert a pointer into a linked list that will allow > overwriting of any value in memory that is followed by 4 null > characters (a null pointer). one such memory location is the last > entry on the GOT (global offset table). When another item is added to > the linked list, the address of the data (a filename) is inserted over > the last value, effectively redefining the function to the code > represented by the filename. > Putting shellcode in the filename allows execution of arbitrary code > when the function referred to is called. > Redhat have be contacted, and will be releasing an errata soon. > GID man allows a race condition for root via > /etc/cron.daily/makewhatis and /sbin/makwhatis My 'man' executable comes from default installation of RH 7.0. -- pozdrawiam | Sylwester Zarêbski | | e-mail: sylwek en tornet pl | | ICQ uin: #45780888 | | Administrator TORNET.PL | --------------------------------------------------------- para salir de la lista, enviar un mensaje con las palabras "unsubscribe ayuda" en el cuerpo a majordomo en linux org mx