|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
fbsd 3.3 ospf_monitor research
Brock Tellier (btellier
USA.NET)
Fri, 8 Oct 1999 14:23:47 MDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Rob Quinn: "SSH and X11 forwarding"
- Previous message: Me Uh, K.: "Newbie in Jeopardy"
- Next in thread: Jeff Bachtel: "Re: fbsd 3.3 ospf_monitor research"
- Reply: Jeff Bachtel: "Re: fbsd 3.3 ospf_monitor research"
I wonder if anyone could research fbsd 3.3's ospf_monitor program. It has an
exploitable buffer overflow:
bash-2.03$ ./smashf 1100 600
Using address: 0xbfbfd834
bash-2.03$ ospf_monitor AA$RET
listening on 0.0.0.0.1495
monconf: Can't open monitor conf file
...
uid=1000 euid=1000 gid=1000 egid=1000
bash-2.03$
But evidently drops privs before it occurs (apparently after it binds to port
1495). Now why, if it binds to an unpriv'd port, would it have suidroot privs
to begin with? And what could command execution actually get us if not a
rootshell?
Brock Tellier
UNIX Systems Administrator
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
- Next message: Rob Quinn: "SSH and X11 forwarding"
- Previous message: Me Uh, K.: "Newbie in Jeopardy"
- Next in thread: Jeff Bachtel: "Re: fbsd 3.3 ospf_monitor research"
- Reply: Jeff Bachtel: "Re: fbsd 3.3 ospf_monitor research"
This archive was generated by hypermail 2.0b3 on Sat Oct 09 1999 - 00:26:23 CDT