|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [SECURITY] Seyon is vulnerable to a root exploit
Bruno Morisson (morisson
CRYOGEN.COM)Mon, 31 Aug 1998 19:34:32 +0100
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: X-Force: "ISS Security Advisory: Executable Directories in IIS 4.0"
- Previous message: Andrew Finkenstadt: "Re: Hole in Oracle Server/Developer 2000 - authentication"
- Maybe in reply to: Martin Schulze: "[SECURITY] Seyon is vulnerable to a root exploit"
Martin Schulze wrote: > Since SGI does not provide exploit information, we are unable to > fix the problem. SGI provided such information only to recognized > security response/incident/coordination organizations and bugtraq > doesn't seem to be accepted. SGI doesn't develop patches to third > party products, thus there is no chance for a quick fix. The bug is in a command line argument to seyon. If you do root:~# seyon -noemulator <very long string (approximately 200 bytes)> it will overflow. Getting a shell is trivial (although it needs to regain previleges through a setreuid(0,0) for example, since seyon drops previleges), but we were unable to find any Linux distribution that shipped seyon suid root(at least not the latest slackware and redhat5.1, we had no access to others). It seems that in redhat 5.1 it is sgid uucp. We were able to exploit the bug, so in cases where seyon is suid root it is possible to get a root shell. Regards, Bruno Morisson and Marco Vaz
- Next message: X-Force: "ISS Security Advisory: Executable Directories in IIS 4.0"
- Previous message: Andrew Finkenstadt: "Re: Hole in Oracle Server/Developer 2000 - authentication"
- Maybe in reply to: Martin Schulze: "[SECURITY] Seyon is vulnerable to a root exploit"