On Thu, 31 May 2001, Charles Stevenson wrote: > Hi, great paper. I just started hammering at all the standard suid > binaries and at the moment I'm trying to determine if unix_chkpwd is > exploitable: At least on Linux, it might be exploitable due to vsyslog() call, which creates temporary buffers on heap (in this particular implementation). At the same time, as this vsyslog() is all we have, that would require in-depth analysis of heap contents at the time the attack could be performed, and in-depth analysis of malloc() behavior in order to figure out if there is any heap modification phase that can be interrupted to get exploitable condition. My guess is that it is worth trying. -- _____________________________________________________ Michal Zalewski [lcamtufat_private] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-=
This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 08:14:08 PDT