On Wed, Jun 27, 2001 at 12:52:40AM -0700, Samy Kamkar [CommPort5] wrote: > > [elguapo@linux elguapo]$ m4 %x,%x,%x,%x,%x,%x,%x > > m4: 0,bffff818,4000d2ce,805df78,8048c56,4002e0bc,4014af2c: No such file > > or directory > > > > can anyone think of a situation where this could cause root > > to be exploitated... m4 is not suid to my understanding. > > Since it's not suid by default, you can't gain root from it directly. > If another program (that is suid) is using it, then you might be able to > depending on how it's used...also, that's assuming that format string > bug is actually exploitable. It's only opening that file so I doubt you > can do any exploitation with it... If you can control the filename that is passed to m4 by a privileged program, there are far easier ways to gain privileges than trying to exploit a format string bug. Instead, pass the name of a file that you created, with contents like: syscmd(touch /evil) -- - mdz
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 21:27:43 PDT