On 02-Mar-2000 Derek Callaway wrote: > I believe this overflow is rather difficult to exploit, (although, not > impossible) as a result of a setuid(getuid()) before the offending code it does setuid(), but NOT setgid(). still vulnerable. the major problem is how to pass valid **envp to stack and let getenv() succesfully return. probably possible by giving pointer to some valid environment in shared libs. -- * Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE * * Inet: venglinat_private ** PGP: D48684904685DF43 EA93AFA13BE170BF *
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:01 PDT