Martin Schulze wrote: > Since SGI does not provide exploit information, we are unable to > fix the problem. SGI provided such information only to recognized > security response/incident/coordination organizations and bugtraq > doesn't seem to be accepted. SGI doesn't develop patches to third > party products, thus there is no chance for a quick fix. The bug is in a command line argument to seyon. If you do root:~# seyon -noemulator <very long string (approximately 200 bytes)> it will overflow. Getting a shell is trivial (although it needs to regain previleges through a setreuid(0,0) for example, since seyon drops previleges), but we were unable to find any Linux distribution that shipped seyon suid root(at least not the latest slackware and redhat5.1, we had no access to others). It seems that in redhat 5.1 it is sgid uucp. We were able to exploit the bug, so in cases where seyon is suid root it is possible to get a root shell. Regards, Bruno Morisson and Marco Vaz
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:29 PDT