While experimentin with MiG's exploit, I've discovered another ramification of this form of
vulnerability: the locate facility. If you leave the huge directory tree that this exploit
builds lying around over night, and you have locate installed in your crontab (default in Red
Hat Linux) then it builds a locate database entry that causes the locate command to seg fault.
Result: if root uses locate to find something (very common while sysadmin is trying to
fix/find something) then the attacker may get root privs via the locate command.
Related question: I have been unable to get MiG's exploit to work. I have RH 5.1 installed,
but I made sure to get bash 1.14.7(1) to test it. It builds the big nasty directory tree, but
cd'ing to it as instructed just produces a seg fault.
Crispin
-----
Crispin Cowan, Research Assistant Professor of Computer Science, OGI
NEW: Protect Your Linux Host with StackGuard'd Programs :FREE
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
Support Justice: Boycott Windows 98
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:06 PDT