Bugtraq mailing list archives
Re: LinCity Buffer Overflow
From: rct () MERKIN CSAP AF MIL (Bob Tracy - TDS)
Date: Mon, 16 Mar 1998 13:40:21 -0600
T. Freak wrote:
While a buffer overflow is blantenly obvious in the code, I don't think it is very dangerous. Observe. (exploit attempt) sh-2.01$ id uid=1000(tfreak) gid=1000(tfreak) groups=1000(tfreak),0(root),4(adm),7(lp),24(cdrom),25(floppy),31(majordom),69(geek) sh-2.01$
The version of bash you are running is the key here... 2.01 renounces setuid/setgid privs when called as "sh", e.g., system() within a program, unless the "-p" flag is passed. See the "NOTES" file in the root directory of the bash-2.01.1 distribution for details. -- Bob Tracy | "Eagles may soar, but weasels don't get AFIWC/TIPER | sucked into jet engines." rct () merkin csap af mil | --Anon
Current thread:
- LinCity Buffer Overflow T. Freak (Mar 16)
- Re: LinCity Buffer Overflow Bob Tracy - TDS (Mar 16)
- BSD/OS 3.0 config_anonftp script trey (Mar 16)
- bug in su (Slackware 3.4) Peter van Dijk (Mar 15)
- Re: bug in su (Slackware 3.4) Martin Schulze (Mar 22)
- Re: bug in su (Slackware 3.4) Martin Schulze (Mar 22)
- bug in su (Slackware 3.4) Peter van Dijk (Mar 15)
- Re: BSD/OS 3.0 config_anonftp script Bill Becker (Mar 18)
- ncftp 2.4.2 MkDirs bug Michal Zalewski (Mar 19)
- Re: ncftp 2.4.2 MkDirs bug Theo Van Dinter (Mar 20)
- New FrontPage98 Server Extensions Release (fwd) Marc Slemko (Mar 20)
- Ascend Kill Thomas Michaux (Mar 20)
- <Possible follow-ups>
- Re: Lincity Buffer Overflow bst () INAME COM (Mar 17)