While experimentin with MiG's exploit, I've discovered another ramification of this form of vulnerability: the locate facility. If you leave the huge directory tree that this exploit builds lying around over night, and you have locate installed in your crontab (default in Red Hat Linux) then it builds a locate database entry that causes the locate command to seg fault. Result: if root uses locate to find something (very common while sysadmin is trying to fix/find something) then the attacker may get root privs via the locate command. Related question: I have been unable to get MiG's exploit to work. I have RH 5.1 installed, but I made sure to get bash 1.14.7(1) to test it. It builds the big nasty directory tree, but cd'ing to it as instructed just produces a seg fault. Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ Support Justice: Boycott Windows 98
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:06 PDT