Re: OpenUNIX 8 & Unixware possible local root

From: Scott J (mrbinaryat_private)
Date: Thu Oct 04 2001 - 07:23:39 PDT

Next message: Randy Taylor: "IDS: RE: On IDS Evasion, Vulnerabilities, and Vendor Hype"

Previous message: Lamont Granquist: "RE: OpenUNIX 8 & Unixware possible local root"
Maybe in reply to: Aycan Irican: "OpenUNIX 8 & Unixware possible local root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

For whatever reason, it seems that AIX may not be
vulnerable. This test performed on a stinky old E30
133 MHz RS/6000, 512 MB "server" (more like a workstation
now, and a wimpy one at that).  But it's the only
thing I could get my hands on to try this exploit(?)  I was
unable to get dtterm to segfault.
This is AIX 4.3.3 with maintenance level of at least 6
applied, more likely 7 or 8.
It's a uniprocessor box: lslpp -ha bos.up returns 4.3.3.26
applied & committed.
Apologies to Bugtraqqers, I don't have time to try out the
entire dt suite o' crap at the moment with
the problems that have just cropped up.  See details below.

myuseridat_private [/home/net/myuserid] [0]
$ date
date
Thu Oct  4 08:58:33 EDT 2001

myuseridat_private [/home/net/myuserid] [0]
$ uname -a
uname -a
AIX ourhost01 3 4 00299A86C000

myuseridat_private [/home/net/myuserid] [0]
$ /usr/dt/bin/dtterm -tn `perl -e 'print "A"x23462'`
/usr/dt/bin/dtterm -tn `perl -e 'print "A"x23462'`
ksh: /usr/dt/bin/dtterm: arg list too long

myuseridat_private [/home/net/myuserid] [126]
$ /usr/dt/bin/dtterm -tn `perl -e 'print "A"x23461'`
/usr/dt/bin/dtterm -tn `perl -e 'print "A"x23461'`

myuseridat_private [/home/net/myuserid] [0]
$ ls -al core
ls -al core
core not found

myuseridat_private [/home/net/myuserid] [2]
$ /usr/dt/bin/dtterm -tn `perl -e 'print "A"x23461'`
/usr/dt/bin/dtterm -tn `perl -e 'print "A"x23461'`

myuseridat_private [/home/net/myuserid] [0]
$ ls -al core
ls -al core
core not found

myuseridat_private [/home/net/myuserid] [2]
$ /usr/dt/bin/dtterm -tn `perl -e 'print "A"x23461'`
/usr/dt/bin/dtterm -tn `perl -e 'print "A"x23461'`

myuseridat_private [/home/net/myuserid] [0]
$ ls -al core                                       
ls -al core
core not found

myuseridat_private [/home/net/myuserid] [2]
$ 

myuseridat_private [/home/net/myuserid] [2]
$ ls -al /usr/dt/bin/dtterm
ls -al /usr/dt/bin/dtterm
-r-sr-xr-x   1 root     bin        40756 Jul 13 1999 
/usr/dt/bin/dtterm

Slán leat agus go n'eirí an bóthar leat.

__________________________________________________
Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

Next message: Randy Taylor: "IDS: RE: On IDS Evasion, Vulnerabilities, and Vendor Hype"
Previous message: Lamont Granquist: "RE: OpenUNIX 8 & Unixware possible local root"
Maybe in reply to: Aycan Irican: "OpenUNIX 8 & Unixware possible local root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 16:31:04 PDT