Hi! After doing a suid check on my SuSE linux 7.0 x86 i found something interesting: hegi@faust:~ > ls -la /usr/sbin/dip -rwsr-xr-- 1 root dialout 62056 Jul 29 2000 /usr/sbin/dip DIP: Dialup IP Protocol Driver version 3.3.7p-uri (25 Dec 96) Written by Fred N. van Kempen, MicroWalt Corporation. I considered this as a sort of old version and did some searching and found something on insecure.org. Description: Standard overflow (in the -l option processing). Author: Goran Gajic <ggajicat_private> Compromise: root (local) Vulnerable Systems: Slackware Linux 3.4, presumably any other system using dip-3.3.7o or earlier suid root. Date: 5 May 1998 Referring to a bugtraq post from may 5. 1998 I did this: hegi@faust:~ > /usr/sbin/dip -k -l `perl -e 'print "a" x 20000'` DIP: Dialup IP Protocol Driver version 3.3.7p-uri (25 Dec 96) Written by Fred N. van Kempen, MicroWalt Corporation. DIP: cannot open /var/lock/LCK..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Datei oder Verzeichnis nicht gefunden Speicherzugriffsfehler Looks like this version is still vulnerable. Although itīs not world executable itīs a security risk. And Iīm wondering why SuSE just didnīt bother with providing a patched version in on of their new distributions. SuSE 7.0 wasnīt released in 1998. Have a nice day. Sebastian Hegenbart
This archive was generated by hypermail 2b30 : Sat Jul 07 2001 - 10:29:04 PDT