Re: top format string bug exploit code (exploitable)

From: Lupe Christoph (lupe@lupe-christoph.de)
Date: Wed Jul 25 2001 - 23:42:18 PDT

Next message: Microsoft Security Response Center: "RE: Vulnerability in Windows 2000 TELNET service"

Previous message: John Marquart: "Re: Telnetd AYT overflow scanner"
In reply to: SeungHyun Seo: "top format string bug exploit code (exploitable)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday, 2001-07-25 at 19:24:29 +0900, SeungHyun Seo wrote:

> It still seems to be affected under 3.5beta9 (including this version)
> someone said it's not the problem of exploitable vulnerability about 8 month ago ,
> but it's possible to exploit though situation is difficult.
> following code and some procedure comments demonstrate it.

> possible to get kmem priviledge in the XXXXBSD which is still not patched,
> possible to get root priviledge in solaris .

Top does not need to be SUID root in Solaris, either. The default
install uses this mode (clipped from the Makefile generated on
Solaris 8 x86):
MODE   = 2711
GROUP  = sys
Both /dev/mem and /dev/kmem are
crw-r-----   1 root     sys       13,  1 Dec  3  2000 /dev/kmem
crw-r-----   1 root     sys       13,  0 Dec  3  2000 /dev/mem

Lupe Christoph
-- 
| lupe@lupe-christoph.de       |        http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a      |
| Bat-Leth contest on the holodeck. They will not concern us again.      |
| http://public.logica.com/~stepneys/joke/klingon.htm                    |

Next message: Microsoft Security Response Center: "RE: Vulnerability in Windows 2000 TELNET service"
Previous message: John Marquart: "Re: Telnetd AYT overflow scanner"
In reply to: SeungHyun Seo: "top format string bug exploit code (exploitable)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 15:45:53 PDT