Cidentd

From: Jackal (jackalat_private)
Date: Sat Jan 10 1998 - 04:32:44 PST

Next message: Chip Salzenberg: "[SIGNED] Buffer overflows in Deliver: get 2.1.13"

Previous message: Joey N.: "Re: CPIO-SN #11980105: Amanda v2.3.0.4 Backup Software (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm sorry if this already known but i'm new to bugtraq. I've been using
cidentd for quite a long of time and I have never had any problems. But,
while i was looking in the code i found something interesting. The
buffers cident uses for reading from /etc/cident.users and ~/.authlie
are all 1024 bytes long. So i created as a normal user a ~/.authlie with
a single line like this:
user    xxxx......xxxxx
         (1024 times)
And something not so unexpectable happened... Cidentd would core dump...
I'm not too good with making buffer overflow exploits, but I believe
that xxx could be replaced with some shell code like making a suid shell
in /tmp.

Jackal/XTC

Next message: Chip Salzenberg: "[SIGNED] Buffer overflows in Deliver: get 2.1.13"
Previous message: Joey N.: "Re: CPIO-SN #11980105: Amanda v2.3.0.4 Backup Software (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:38:47 PDT