|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
From: Przemyslaw Frasunek (venglin
FREEBSD.LUBLIN.PL)Date: Fri Mar 03 2000 - 17:08:35 CST
- Next message: LaMont Jones: "Re: Potential security problem with mtr"
- Previous message: vwaaijen: "ColdFusion Bug: Application.cfm shows full path"
- In reply to: Derek Callaway: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
- Reply: Przemyslaw Frasunek: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 02-Mar-2000 Derek Callaway wrote:
> I believe this overflow is rather difficult to exploit, (although, not
> impossible) as a result of a setuid(getuid()) before the offending code
it does setuid(), but NOT setgid(). still vulnerable.
the major problem is how to pass valid **envp to stack and let getenv()
succesfully return. probably possible by giving pointer to some valid
environment in shared libs.
-- * Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE * * Inet: venglin
- Next message: LaMont Jones: "Re: Potential security problem with mtr"
- Previous message: vwaaijen: "ColdFusion Bug: Application.cfm shows full path"
- In reply to: Derek Callaway: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
- Reply: Przemyslaw Frasunek: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]