Hi, > smbclient version: 1.9.18p3 Overflow occurs after 8505 characters > compress version: 4.2.4 Overflow at 1100 characters > elvis version: 2.0 Lots of fun quirks over 1000-100000; > maybe an exploit symlinking with tmp's > lha version: 1.02 Overflow at >19211 none of these applications is s[ug]id, so these overflows can not be exploited to gain privilige. about the symlink attack on elvis-2.0: /* unix/osprg.c */ char id_osprg[] = "$Id: osprg.c,v 2.9 1996/05/23 00:03:51 steve Exp $"; #define TMPDIR (o_directory ? tochar8(o_directory) : "/tmp") static char tempfname[100]; /* name of temp file */ /* create a temporary file for feeding the program's stdin*/ sprintf(tempfname, "%s/elvis%d.tmp", TMPDIR, (int)getpid()); writefd = open(tempfname, O_WRONLY|O_CREAT|O_EXCL, 0600); if (writefd < 0) { msg(MSG_ERROR, "can't make temporary file"); free(command); return False; } it's not vulnerable > > There are many more but im too tired to document them, if you have any > questions, I can be reached at hdmooreat_private if some of them can really be used to gain more priviliges on the machine or result in a denial-of-service, email them to securityat_private please > The major concern i have is non-priveledged users trashing system files > with suid apps, please check ALL your suid's for overflows...Anyways, > Thrill Kill rocked and im beat and bloody from the pit, so goodnight. well, if you find any, drop me a note. Greets, Marc -- Marc Heuse, S.u.S.E. GmbH, Fahrradstr. 56, D-90429 Nuernberg E@mail: marcat_private Function: Security Support & Auditing Use "finger marcat_private | pgp -fka" for my public pgp key
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:56 PDT