Hey, 2xs Security team found new bug in elm, although its not suid on linux systems(redhat 6.2, mandrak 8.0, slackware 7.1) we believe its suid on other kind of *nix OS such as HP-UX w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ id uid=100(w00p) gid=100(users) groups=100(users) w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ export EDITOR=`perl -e 'print "A" x 2000;'` w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ elm Notice: ELM requires an ".elm" subdirectory off your home directory to hold information such as your configuration preferences (the "elmrc" file) and aliases. May I create this directory for you (yes/no/quit) ? [y] : n Segmentation fault w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ gdb ./elm GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-slackware-linux"... (gdb) r Starting program: /tmp/w00p/elm2.5.3/bin/./elm warning: Unable to find dynamic linker breakpoint function. GDB will be unable to debug shared library initializers and track explicitly loaded dynamic code. Notice: ELM requires an ".elm" subdirectory off your home directory to hold information such as your configuration preferences (the "elmrc" file) and aliases. May I create this directory for you (yes/no/quit) ? [y] : n Program received signal SIGSEGV, Segmentation fault. 0x40074486 in catgets () from /lib/libc.so.6 (gdb) where #0 0x40074486 in catgets () from /lib/libc.so.6 #1 0x805b6a6 in create_private_dir () #2 0x805b3fc in initialize () #3 0x80520bd in main () #4 0x4006faa7 in __libc_start_main () from /lib/libc.so.6 (gdb) info registers eax 0x41414141 1094795585 ecx 0x40014000 1073823744 edx 0x0 0 ebx 0x4013bed4 1075035860 esp 0xbfffeca0 0xbfffeca0 ebp 0xbfffecb4 0xbfffecb4 esi 0x41414141 1094795585 edi 0xbffff264 -1073745308 eip 0x40074486 0x40074486 eflags 0x10202 66050 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0xbffff8a4 -1073743708 fop 0x0 0 (gdb) Bug was found with BOS, Binary Overflow Scanner tool made by 2xs Security team. At this point we shall not release an exploit. For Questions or Comments: Ehud Tenenbaum <analyzerat_private> CTO & Project manager. Izik Kotler <izikat_private> Senior programmer. Mixter <mixterat_private> Senior programmer. acz <aczat_private> QA/Programmer. -- ------------ Ehud Tenenbaum C.T.O & Project Manager 2xs LTD. Tel: 972-9-9519980 Fax: 972-9-9519982 E-Mail: ehudat_private ------------ Have A Safe Day
This archive was generated by hypermail 2b30 : Sun Feb 24 2002 - 21:11:17 PST