Re: LinCity Buffer Overflow

From: Bob Tracy - TDS (rctat_private)
Date: Mon Mar 16 1998 - 11:40:21 PST

Next message: trey: "BSD/OS 3.0 config_anonftp script"

Previous message: bstat_private: "Re: Lincity Buffer Overflow"
Maybe in reply to: T. Freak: "LinCity Buffer Overflow"
Next in thread: John Goerzen: "Re: LinCity Buffer Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

T. Freak wrote:
>
> While a buffer overflow is blantenly obvious in the code, I don't think it
> is very dangerous.  Observe.
>
> (exploit attempt)
> sh-2.01$ id
> uid=1000(tfreak) gid=1000(tfreak)
> groups=1000(tfreak),0(root),4(adm),7(lp),24(cdrom),25(floppy),31(majordom),69(geek)
> sh-2.01$

The version of bash you are running is the key here...  2.01 renounces
setuid/setgid privs when called as "sh", e.g., system() within a program,
unless the "-p" flag is passed.  See the "NOTES" file in the root
directory of the bash-2.01.1 distribution for details.

--
Bob Tracy               | "Eagles may soar, but weasels don't get
AFIWC/TIPER             |  sucked into jet engines."
rctat_private  |       --Anon

Next message: trey: "BSD/OS 3.0 config_anonftp script"
Previous message: bstat_private: "Re: Lincity Buffer Overflow"
Maybe in reply to: T. Freak: "LinCity Buffer Overflow"
Next in thread: John Goerzen: "Re: LinCity Buffer Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:51 PDT