Hi! There are many buffer overflows in kermit on HP-UX 11.0 . I am sure it is vulnerable in other HP-UX versions, too, since "C-Kermit 6.0.192, 6 Sep 96, for HP-UX 10.00" is installed in HP-UX 11.0 by default. /usr/bin/kermit is setuid to bin and setgrp to daemon, so upon succesfull exploitation, local user could get these priviledges. Example of on simple buffer overflow in kermit : $ /usr/bin/kermit -C "ask `perl -e 'print "A" x 120'`" Executing /usr/share/lib/kermit/ckermit.ini for UNIX... Good Evening. Segmentation fault (core dumped) There are more kermit commands that are unchecked of correct parameter length: askq,define, assign, getc. Several of them use the same vulnerable function "doask". I am SURE that these are not all vulnerabilities in kermit. one more thing (I am not sure if it is exploitable,but anyway): [/home/xxxxxxxxxx] C-Kermit>set alarm %:%:% Floating point exception (core dumped) Solution - take off setuid bits form /usr/bin/kermit. In my opinion, patching kermit against these(and maybe many more) vulnerabilities is not an option, since source of C-kermit 6.0.192 is publicly available, and it is very buggy. I tried to contact security-alertat_private, but i got error message "Client host rejected: Access denied" (spam?). Bye, btat_private <--------------------===========================--------------------> Meiles zinutes sirdies damai ar riteriui: siusk MEILE numeriu 1325. Jei siunti draugui, po zodzio MEILE nurodyk jo mob. telefono numeri. Zinutes kaina 1 Lt. http://sms.delfi.lt/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Fri May 02 2003 - 10:17:20 PDT