OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: /bin/su local libc exploit yielding a root shell
From: Matt Wilson (mswREDHAT.COM)
Date: Tue Oct 03 2000 - 23:59:35 CDT

I have been able to verify this exploit on stock Red Hat Linux 6.2,
and have verified that the rogue message catalog is not read when the
errata for glibc at:

http://www.redhat.com/support/errata/RHSA-2000-057-04.html

is applied.

Again - Red Hat, Inc. strongly recommends that all users upgrade to
the glibc errata in RHSA-2000-057-04 as it protects you against this
and similar exploits.

Cheers,

Matt
mswredhat.com

On Tue, Oct 03, 2000 at 12:25:14PM +0200, Guido Bakker wrote:
> /*
> Hail to thee dear readers,
>
> This is yet another /bin/su + buggy locale functions in libc exploit.
> The reason for writing it is rather easy to explain, all existing versions
> of "su" format bug exploits were very unreliable and tedious to use - the
> number of addresses on the stack, and thus the number of %.8x signs to use
> varied heavily, as well as the alignment. Return adresses were expected to
> be specified on the command line, which is imho an idiotic thing to combine
> with all the other options that also are to be 'brute forced'.
> Finding these values by hand is a too tedious thing to do and costs the
> average script-kid way too much time. I hoped to solve this in this exploit
> and have found it to work on many different machines so far by using a
> small brute forcing perl wrapper.

<code snipped>

> | Guido Bakker <guidobmainnet.nl>
> | Network Manager
>
> MainNet BV, http://www.mainnet.nl
> Phone: +31 (0)20 6133505
> Fax: +31 (0)20 6135640