On Fri, 26 Jun 1998, Alvaro Martinez Echevarria wrote: > On Thu, 25 Jun 1998, gold wrote: > > > sh-2.02$ id > > uid=1001(gold) gid=8(mem) groups=100(users) > > this is on slackware 3.5 > > slack 3.3 was complete euid root > > thank-you for notice alvaro > > Ooops. I forgot about slackware, I didn't report this to them. So > it seems that under both Slackware 3.3 and 3.5 this bug is a > direct root compromise: > > -under 3.3 you get a direct euid=0; and > -under 3.5 you are group 8(mem), something that leads me to think > that the overflow code was executed as root. Because I don't think > mailx is setgid "mem" in slackware 3.5. Actually, the mailx binary in Slackware 3.3/3.4 is not setuid or setgid: -rwxr-xr-x 1 root bin 59420 Aug 16 1996 Mail I doubt this could be exploited. The mailx in Slackware 3.5 (mailx-8.1.1-9) is supplied setgid mail, and before applying the patch you could probably exploit the overflow to get group mail (12). > I'm sending this (and the original report) to Patrick Volkerding. It would have been nice to get some advance notice, but I caught the post on BugTraq (after all, BugTraq *is* the breakfast of champions :) and have a fixed mailx.tgz binary package up for FTP: ftp://ftp.cdrom.com/pub/linux/slackware/slakware/n3/mailx.tgz MD5 sum for the package: 6f7047cf74513b34e35610bebf25c82e mailx.tgz The patch is also on the same site: ftp://ftp.cdrom.com/pub/linux/slackware/source/n/mailx/mailx-overflow.diff.gz And, the MD5 sum on this one is: c2d69e4823c6c5228a3cb183aeb21720 mailx-overflow.diff.gz Take care, Patrick J. Volkerding Slackware Linux maintainer
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:39 PDT