Re: Buffer overflow vulnerability in action argument of dtaction

From: w3 (warning3at_private)
Date: Tue Oct 16 2001 - 05:16:47 PDT

Next message: Abel Wisman: "Re: Civil Disobedience"

Previous message: TD - Sales International Holland B.V.: "Re: Civil Disobedience"
In reply to: bknightat_private: "Buffer overflow vulnerability in action argument of dtaction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It looks dtaction has dropped the root privilege(setuid(getuid()))
before overflow happens. So this bug won't give you any more privilege.

[Solaris 7, SPARC]
[root@ /]> truss -t'!all' -u libc:getuid,setuid /usr/dt/bin/dtaction foo `perl -e 'print "A"x4000'`

-> libc:getuid(0x4, 0x1, 0x0, 0xfed78458)
<- libc:getuid() = 0
-> libc:getuid(0x1, 0x3, 0xff31c258, 0x13a18)
<- libc:getuid() = 0
-> libc:setuid(0x0, 0x0, 0xffbeedf8, 0x24400)
<- libc:setuid() = 0
-> libc:getuid(0x4, 0x1, 0x0, 0xfed78458)
<- libc:getuid() = 0
    Incurred fault #6, FLTBOUNDS  %pc = 0xFEEB6C50
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41413D41
    Received signal #11, SIGSEGV [default]
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41413D41
        *** process killed ***


---Original Message---
From : <bknightat_private>
Date : Tue, 16 Oct 2001 06:57:24 +0900 (KST)

> 
> r0ar Security Advisory
> October 5, 2001
> 
> Buffer overflow vulnerability in action argument of dtaction
[...snip...]
> 
> ---
> http://www.r0ar.org (formely known as ksecurity)
> 
> e-mail : bknightat_private
> 
> 
> 



 
Regards,
warning3 <warning3at_private>
http://www.nsfocus.com

Next message: Abel Wisman: "Re: Civil Disobedience"
Previous message: TD - Sales International Holland B.V.: "Re: Civil Disobedience"
In reply to: bknightat_private: "Buffer overflow vulnerability in action argument of dtaction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 16 2001 - 09:29:35 PDT