Bugtraq mailing list archives
Re: libresolv+ bug
From: mouse () Holo Rodents Montreal QC CA (der Mouse)
Date: Mon, 19 Aug 1996 19:34:55 -0400
It just switches the effective uid to nobody (default 65534) around a certain gethostbyname ...
This fixed the problem as far as I can tell on my system...
This is not a fix for any of the libresolv++ holes.
Well, it makes them slightly harder to exploit. :-)
Firstly you can use the TRIM list to overrun the trim buffer non setuid, but make the non setuid code executed patch other parts of the binary so that when it goes back setuid -- BLAM.
Well, if the text segment is read-only, that makes it rather difficult to patch the binary. But if the binary has privilege to go setuid, then it has that privilege even when executing the buffer-overrun code, so (as you say, but for slightly different reasons) it buys you nothing in terms of real security. It would perhaps be something to consider for hardware designers to ensure that any useful sequence of code will contain a 0x00 byte; it would make a lot of such overruns harder to exploit, since most of these overruns do not permit installing any code that contains a 0x00 byte. (Which is one reason they're so bad on Intel hardware, it being a CISC architecture - I once saw a file which was simultaneously code in about three high-level languages and an Intel machine-language executable (!), which means that someone wrote a useful program that used only bytes that were printable characters....) der Mouse mouse () collatz mcrcim mcgill edu 01 EE 31 F6 BB 0C 34 36 00 F3 7C 5A C1 A0 67 1D
Current thread:
- Re: libresolv+ bug Don Lewis (Aug 19)
- <Possible follow-ups>
- Re: libresolv+ bug der Mouse (Aug 19)
- Re: libresolv+ bug Alan Cox (Aug 20)
- Re: libresolv+ bug Thomas Ptacek (Aug 20)
- Re: libresolv+ bug Julian Assange (Aug 21)
- Re: libresolv+ bug John Nemeth (Aug 20)
- Re: libresolv+ bug Andi Gutmans (Aug 20)
- Re: libresolv+ bug Jon Lewis (Aug 20)
- Re: libresolv+ bug Elliot Lee (Aug 20)
- Re: libresolv+ bug Nick Andrew (Aug 20)
- Re: libresolv+ bug Jon Lewis (Aug 20)
- SigSev -> Security Hole Tim Smithers (Aug 20)
- Re: libresolv+ bug Jon Lewis (Aug 20)
(Thread continues...)