Bugtraq mailing list archives
Re: BASH buffer overflow, LiNUX x86 exploit
From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Sat, 19 Sep 1998 19:14:06 -0700
While experimentin with MiG's exploit, I've discovered another ramification of this form of vulnerability: the locate facility. If you leave the huge directory tree that this exploit builds lying around over night, and you have locate installed in your crontab (default in Red Hat Linux) then it builds a locate database entry that causes the locate command to seg fault. Result: if root uses locate to find something (very common while sysadmin is trying to fix/find something) then the attacker may get root privs via the locate command. Related question: I have been unable to get MiG's exploit to work. I have RH 5.1 installed, but I made sure to get bash 1.14.7(1) to test it. It builds the big nasty directory tree, but cd'ing to it as instructed just produces a seg fault. Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ Support Justice: Boycott Windows 98
Current thread:
- BASH buffer overflow, LiNUX x86 exploit MiG (Sep 05)
- <Possible follow-ups>
- Re: BASH buffer overflow, LiNUX x86 exploit Crispin Cowan (Sep 19)
- Re: BASH buffer overflow, LiNUX x86 exploit J. Joseph Max Katz (Sep 19)
- Locate overflow / Promiscuous mode / Posting tips David J. Meltzer (Sep 19)