KF wrote: > Here are several binaries on SCO that are not suid however seem to have > classic > overflows... I was wondering if these could be exploited due to the fact > that a number > of programs calls them. vi pg and more are the binaries in question. > > # SCO_SV frodev 3.2 5.0.6 i386 > # TERM=`perl -e 'print "A" x 7000'` > # export TERM > # vi > Memory fault - core dumped > # pg > Memory fault - core dumped > # more > Memory fault - core dumped > > Perhaps vi is exploitable via a suid program calling it? As others have pointed out, if an suid/sgid program calls vi while still privileged, you do not need a buffer overflow to exploit it! Just shell out and have fun. In fact, with very few exceptions (and those by deliberate design), if an suid/sgid program execs anything else while still holding its privileges, it's being stupid (and probably exploitable). Yes, the OpenServer versions of those programs [vi, pg, more, and no doubt many others] have bugs which can be provoked to generate core dumps. These bugs are not directly exploitable in the classic sense. With a typical buffer overflow attack, you could probably cause those programs to run a shell -- as you. Might as well just type "/bin/sh". They're bugs which ought to be fixed, but which are lower priority than things like obviously exploitable /tmp race conditions, which I'm in the middle of working through... In response to another message: OpenServer's `crontab` _is_ setgid (to group cron), and is not setuid. This is by deliberate design and should not be tampered with. The OpenServer cron package is not related to the ones typically in use on Linux systems; its security measures are different. >Bela<
This archive was generated by hypermail 2b30 : Thu Jun 07 2001 - 17:27:00 PDT