Vulnerability Development mailing list archives
Re: Unsafe Signal Handling unix_chkpwd?
From: Michal Zalewski <lcamtuf () bos bindview com>
Date: Thu, 31 May 2001 22:15:54 -0400 (EDT)
On Thu, 31 May 2001, Charles Stevenson wrote:
Hi, great paper. I just started hammering at all the standard suid binaries and at the moment I'm trying to determine if unix_chkpwd is exploitable:
At least on Linux, it might be exploitable due to vsyslog() call, which creates temporary buffers on heap (in this particular implementation). At the same time, as this vsyslog() is all we have, that would require in-depth analysis of heap contents at the time the attack could be performed, and in-depth analysis of malloc() behavior in order to figure out if there is any heap modification phase that can be interrupted to get exploitable condition. My guess is that it is worth trying. -- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-=
Current thread:
- Unsafe Signal Handling unix_chkpwd? Charles Stevenson (May 31)
- Re: Unsafe Signal Handling unix_chkpwd? Michal Zalewski (Jun 01)