Full Disclosure mailing list archives

Re: GNU gcc vuln. < 3.4.3 local root (.php)

From: Andrew Farmer <andfarm () teknovis com>
Date: Mon, 17 Jan 2005 01:39:55 -0800

On 17 Jan 2005, at 00:30, ZzagorR ZzagorR wrote:

#!/usr/bin/php -a
<?
/*
GNU gcc vuln. < 3.4.3
By ZzagorR (MARMARA UNIVERSITY)
zzagorrzzagorr () hotmail com
http://www.rootbinbash.com
thanks to [NST]
ah vizeler ahhhhh
*/

<snip>

Ha ha ha.

Old "vulnerability". Equivalent to:

/* fake_vuln.c */
int getuid(void) { return 0; }
int geteuid(void) { return 0; }
int getgid(void) { return 0; }


sh % gcc -shared fake_vuln.c -o fake_vuln.so
sh % LD_PRELOAD=`pwd`/fake_vuln.so /bin/sh
sh # id
uid=0(root) gid=0(root) <etc etc etc>
sh # cat /etc/shadow
cat: /etc/shadow: Permission denied

The sad part is that rootbinbash.com has posted this as a realvulnerability.

Attachment: PGP.sig
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

GNU gcc vuln. < 3.4.3 local root (.php) ZzagorR ZzagorR (Jan 17)
- Re: GNU gcc vuln. < 3.4.3 local root (.php) Andrew Farmer (Jan 17)
  - Re: GNU gcc vuln. < 3.4.3 local root (.php) Christian (Jan 18)
- <Possible follow-ups>
- Re: GNU gcc vuln. < 3.4.3 local root (.php) ZzagorR ZzagorR (Jan 17)