Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995

[neil () legless demon co uk (Neil Woods)]

>
Rob J. Nauta spewed forth:
> [8LGM] Security Team dared to write:
> >                [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
> > REPEAT BY:
> >        We have written an example exploit to overwrite syslog(3)'s
> >        internal buffer using SunOS sendmail(8).  However due to the
> >        severity of this problem, this code will not be made available
> >        to anyone at this time.  Please note that the exploit was fairly
> >        straightforward to put together, therefore expect exploits to be
> >        widely available soon after the release of this advisory.
>
> If it's so straightforward, let's have it ! I want to check my linux and
> my ISP's FreeBSD. Bugtraq is FULL DISCLOSURE !! So, please post source/
> scripts now !

Aye its straightforward, it took 2 hrs to get results.  Anyone who has
done some development (well more accurately debugging ;-) work, should
be able to get results quickly for the architecture they work with.

Unfortunately if we did give you (and everyone else to be fair) the exploit:

1) Linux or FreeBSD don't run sendmail v5.  The exploit is based on
v5's usage of syslog() (It just so happened that sendmail v5 was the
first daemon we looked at for exploit possibilities).

2) I can't port it to other operating systems, as I don't run either
Linsux or FreeBSD, even if you are using Sparc architectures.

3) Rampant hacking would ensue.

As for vulnerability, I believe both FreeBSD and Linux have fixes
available.

Cheers,

Neil

P.S. Next time this kind of bug crops up, expect exploits to be
available much more quickly - modifying an exploit for syslog()
would be extremely straightforward :-|

--
Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way,
M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl.

     ...like a badger with an afro throwing sparklers at the Pope...