Re: [ Hackerslab bug_paper ] Linux dump buffer overflow

From: Przemyslaw Frasunek (venglinat_private)
Date: Fri Mar 03 2000 - 15:08:35 PST

Next message: Nate Eldredge: "Re: Corel Linux 1.0 dosemu default configuration: Local root vuln"

Previous message: Dirk Nimmich: "Re: Distributing Patches in Email"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 02-Mar-2000 Derek Callaway wrote:
> I believe this overflow is rather difficult to exploit, (although, not
> impossible) as a result of a setuid(getuid()) before the offending code

it does setuid(), but NOT setgid(). still vulnerable.

the major problem is how to pass valid **envp to stack and let getenv()
succesfully return. probably possible by giving pointer to some valid
environment in shared libs.

--
* Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE *
* Inet: venglinat_private ** PGP: D48684904685DF43  EA93AFA13BE170BF *

Next message: Nate Eldredge: "Re: Corel Linux 1.0 dosemu default configuration: Local root vuln"
Previous message: Dirk Nimmich: "Re: Distributing Patches in Email"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:01 PDT