The output with ln -l is the same on a default RedHat 4.2 install.....after trying the same thing with it, nothing happened....I got an error of "No servers available"....Trying with 2400 X's yielded the same results. I suspect that this is only a bug in RedHat 5.0 PrinceC princectrlat_private ---Cesar Tascon Alvarez <tasconat_private> wrote: > > Description: > Due to lack of security checks there is a standard stack smashing problem. > Local user can execute code as root. > > Let's see. > > [tascon@archivald]$ id > uid=500(tascon) gid=500(tascon) groups=500(tascon),100(users) > [tascon@archivald]$ cat /etc/redhat-release > release 5.0 (Hurricane) > [tascon@archivald]$ ls -l /usr/bin/mh/inc > -rwsr-sr-x 1 root mail 82972 Oct 15 18:06 /usr/bin/mh/inc > [tascon@archivald]$ /usr/bin/mh/inc > inc: no mail to incorporate > [tascon@archivald]$ /usr/bin/mh/inc -host XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[...] > XXXXX <---- (2000 X's here) > Segmentation fault > > ^^^^^^^^^^^^^^^^^^ Dangerous isn't it? > > Local exploit exists for that option. Note that MH isn't even configured. > It's as the installation of RedHat 5.0 left it. Note also that MH is intalled > by deffect with RedHat 5.0. > > Solution: Uninstall this package or remove the suid-bit until patch becomes > available. > > MH also installs another suid-program: msgchk. It's also posible to get a > Segmentation fault whith the same option, but I haven't been able to exploit > it. I have worked on it quite a few. Could someone probe it a little deeper?? > > Greetings > > > ----o-------------------------------o-------------------------------------o---- > Space reserved to describe / Cesar Tascon Alvarez > my job when I got one. / University of Valladolid (SPAIN) > Yes, I'm just a student ;) / tasconat_private > ----o-----------------------o---------------------------------------------o---- > _________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:40:03 PDT