Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: fbsd 3.3 ospf_monitor research

From: sebastion () IRELANDMAIL COM (Jeff Bachtel)
Date: Sun, 10 Oct 1999 08:30:28 -0500

Isn't OSPF a layer directly over IP? That is, doesn't it require using
special libraries with root priv's to open up a socket to listen to
OSPF traffic?

Of course, I may be smoking crack here.

jeff
(not that I would install it suid. If you need to monitor OSPF, you
are probably root anyway, and can set up sudo and whatnot)


I wonder if anyone could research fbsd 3.3's ospf_monitor program.  It has an
exploitable buffer overflow:
bash-2.03$ ./smashf 1100 600
Using address: 0xbfbfd834
bash-2.03$ ospf_monitor AA$RET
listening on 0.0.0.0.1495
monconf: Can't open monitor conf file

...

uid=1000 euid=1000 gid=1000 egid=1000
bash-2.03$

But evidently drops privs before it occurs (apparently after it binds to port
1495).  Now why, if it binds to an unpriv'd port, would it have suidroot privs
to begin with?  And what could command execution actually get us if not a
rootshell?

Brock Tellier
UNIX Systems Administrator
Previous By Date Next
Previous By Thread Next

Current thread: