Bugtraq mailing list archives
Re: More Overflows...
From: marc () SUSE DE (Marc Heuse)
Date: Fri, 4 Sep 1998 09:42:35 +0200
Hi,
smbclient version: 1.9.18p3 Overflow occurs after 8505 characters compress version: 4.2.4 Overflow at 1100 characters elvis version: 2.0 Lots of fun quirks over 1000-100000; maybe an exploit symlinking with tmp's lha version: 1.02 Overflow at >19211
none of these applications is s[ug]id, so these overflows can not be exploited to gain privilige. about the symlink attack on elvis-2.0: /* unix/osprg.c */ char id_osprg[] = "$Id: osprg.c,v 2.9 1996/05/23 00:03:51 steve Exp $"; #define TMPDIR (o_directory ? tochar8(o_directory) : "/tmp") static char tempfname[100]; /* name of temp file */ /* create a temporary file for feeding the program's stdin*/ sprintf(tempfname, "%s/elvis%d.tmp", TMPDIR, (int)getpid()); writefd = open(tempfname, O_WRONLY|O_CREAT|O_EXCL, 0600); if (writefd < 0) { msg(MSG_ERROR, "can't make temporary file"); free(command); return False; } it's not vulnerable
There are many more but im too tired to document them, if you have any questions, I can be reached at hdmoore () usa net
if some of them can really be used to gain more priviliges on the machine or result in a denial-of-service, email them to security () suse de please
The major concern i have is non-priveledged users trashing system files with suid apps, please check ALL your suid's for overflows...Anyways, Thrill Kill rocked and im beat and bloody from the pit, so goodnight.
well, if you find any, drop me a note. Greets, Marc -- Marc Heuse, S.u.S.E. GmbH, Fahrradstr. 56, D-90429 Nuernberg E@mail: marc () suse de Function: Security Support & Auditing Use "finger marc () suse de | pgp -fka" for my public pgp key
Current thread:
- More Overflows... HD Moore (Sep 03)
- <Possible follow-ups>
- Re: More Overflows... Marc Heuse (Sep 04)
- Re: More Overflows... Theo de Raadt (Sep 04)
- Re: More Overflows... Aaron Bornstein (Sep 04)