Bugtraq mailing list archives
Re: fts, du, find
From: venglin () GADACZKA DHS ORG (Przemyslaw Frasunek)
Date: Fri, 14 May 1999 19:14:02 +0200
2. This bug probably applies to FreeBSD-3.1 and ever to OpenBSD and other.
Yes, I've tested it on 3.1-STABLE.
I have no exploit and probably will no have a free time (I think 3 days is more than enough) for doing it, but I beleive it is possible to exploit this bug using carefully designed directory tree to execute arbitrary commands as root during /etc/daily->/etc/security->find. REMOTE ROOT EXPLOIT (POSSIBLE).
I think, that it will be hard to write an exploit. I've tested it on my 2.2.8-RELEASE at home. 'Find' segfaults, when it tries to do: (void)puts(entry->fts_path); because of junk pointer to structure 'entry'. IMHO it _always_ points to 0x200291d6, so it tries to execute (IMHO) _always_ the same commands: 0x200291d6 <puts+34>: repnz scasb %es:(%edi),%al 0x200291d7 <puts+35>: scasb %es:(%edi),%al 0x200291d8 <puts+36>: movl %ecx,%eax 0x200291d9 <puts+37>: enter $0xd0f7,$0x89 0x200291da <puts+38>: notl %eax 0x200291db <puts+39>: rorb 0x488de455(%ecx) 0x200291dc <puts+40>: movl %edx,0xffffffe4(%ebp) 0x200291dd <puts+41>: pushl %ebp 0x200291de <puts+42>: inb $0x8d,%al 0x200291df <puts+43>: leal 0xffffffff(%eax),%ecx 0x200291e0 <puts+44>: decl %eax 0x200291e1 <puts+45>: decl 0x938de84d(%ecx) 0x200291e2 <puts+46>: movl %ecx,0xffffffe8(%ebp) 0x200291e3 <puts+47>: decl %ebp 0x200291e4 <puts+48>: call 0xc1532576 <end+2705991902> and here it segfaults. -- * Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 * * Inet: venglin () lagoon freebsd org pl ** PGP:D48684904685DF43EA93AFA13BE170BF *
Current thread:
- Windump for Windows Edward Gibbs (May 11)
- fts, du, find Stas Kisel (May 12)
- Re: fts, du, find Jordan Ritter (May 14)
- At Ease 5.0 Security Hole Tim Conrad (May 13)
- Re: At Ease 5.0 Security Hole Vincent Janelle (May 14)
- ssh-1.2.27 is out. Jonas Eriksson (May 14)
- Re: fts...(improved patch) Stas Kisel (May 14)
- Re: fts, du, find Jordan Ritter (May 14)
- Re: fts, du, find Przemyslaw Frasunek (May 14)
- fts, du, find Stas Kisel (May 12)
- Buffer overflow in WinAMP 2.x Wojtek Kaniewski (May 12)
- Re: Buffer overflow in WinAMP 2.x William Yodlowsky (May 14)
- Re: Buffer overflow in WinAMP 2.x Jello Biafra (May 16)
- Microsoft Security Bulletin (MS99-015) aleph1 () UNDERGROUND ORG (May 17)
- Re: Windump for Windows Brett Glass (May 12)
- Source code IS available (Was: Re: Windump for Windows) Ken Williams (May 14)