In <199712210343.AAA02111at_private>, on 12/21/97 at 12:43 AM, Solar Designer <solarat_private> said: >The buffer overflow is in vsyslog(), by the ident string previously set >with openlog(). It is exploitable via some versions of /bin/su (for >example, the version that comes with Slackware 3.1), and possibly some As far as I can tell, su has been fixed in Slackware 3.4. >other privileged processes that use user-supplied data in ident for >openlog() -- could even be a daemon setting the ident to something like >"daemon: username" (I don't know of any such examples though). >I have verified this is exploitable in libc 5.4.23 and RedHat's 5.3.12-18 >that comes with RH 4.2, but is fixed in 5.4.38. It can't be exploited via >/bin/su on standard RedHat setup though. >Actually, the behavior of Slackware's /bin/su is quite stupid anyway: >sunny:/tmp$ ln -s /bin/su kernel >sunny:/tmp$ export PATH=.:$PATH >sunny:/tmp$ kernel >Password: >sunny:/tmp# tail -1 /var/log/messages >Dec 20 23:32:33 sunny kernel: root on /dev/ttyp1 Again, can't duplicate this under Slackware 3.4. >No real security hole here, but this shows it was a stupid thing to use >argv[0] for openlog(). Gotta agree here. <snip> >Since you should fix the vulnerability regardless if it's exploitable via >your version of /bin/su or not, here's a tiny program for checking if >your libc is vulnerable. If this segfaults, you're vulnerable. >--- syslog-check.c --- <snip> Under Slackware 3.4, libc 5.4.33, this code causes <BUFFER OVERUN ATTEMPT>: message to be logged to syslog. -- Dann Lunsford * The only thing necessary for the triumph of evil * dannat_private * is that men of good will do nothing. -- Cicero * Hiroshima 45 -- Chernobyl 86 -- Windows 95
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:16 PDT