OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: zenith parsec (zenith_parsecthe-astronaut.com)
Date: Sun May 13 2001 - 15:17:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ========================================================
    Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
    package) and earlier.
    =========================================================
    Heap Based Overflow of man via -S option gives GID man.

    Due to a slight error in a length check, the -S option to
    man can cause a buffer overflow on the heap, allowing redirection of execution
    into user supplied code.

    man -S `perl -e 'print ":" x 100'`

    Will cause a seg fault if you are vulnerable.

    It is possible to insert a pointer into a linked list that
    will allow overwriting of any value in memory that is followed by 4 null
    characters (a null pointer). one such
    memory location is the last entry on the GOT (global offset table). When another
    item is added to the linked list, the address of the data (a filename) is
    inserted over the last value, effectively redefining the function
    to the code represented by the filename.

    Putting shellcode in the filename allows execution of arbitrary code when the
    function referred to is called.

    Redhat have be contacted, and will be releasing an errata soon.

    --zen-parse

    GID man allows a race condition for root via
    /etc/cron.daily/makewhatis and /sbin/makwhatis

    Sign up for your FREE E-MAIL account Dynamitemail:
    http://www.dynamitemail.com