|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Hank Wang (hywang
iss.com.tw)Date: Mon Jun 11 2001 - 21:20:23 CDT
We found that "at" in Solaris is vulnerable on Solaris 7 and 8
The kind of bug is discussed on Bugtraqid:1634
--<
Generally a program that needs to display a message to the user will obtain
the proper language
specific string from the database using the original message as the search
key and printing the
results using the printf(3) family of functions. By building and installing
a custom messages
database an attacker can control the output of the message retrieval
functions that get feed to the
printf(3) functions.
Bad coding practices and the ability to feed format strings to the later
functions makes it
possible for an attacker to execute arbitrary code as a privileged user
(root) using almost any
SUID program on the vulnerable systems.
>--
When succeeding "at" command, it will return a message:
"commands will be executed using: <shell>\n"
User can create a specified format string to the message for gettext(),
and set the NLSPATH environment variable..
That, user may get the root privilege..
The exploit will release later...
-- Huang-Yu Wang hank
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]