Bugtraq mailing list archives

Re: a few bugs ...

From: lcamtuf () DIONE IDS PL (Michal Zalewski)
Date: Tue, 21 Mar 2000 08:49:04 +0100


On Mon, 20 Mar 2000, Daniel Jacobowitz wrote:

Actually, it was exploitable, if you are referring to the
username-passed-in-format-string bit.  In my efforts for
crack.linuxppc.org (which I have not gotten around to writing up yet,
but will - there were a few interesting tidbits), I used that for two
tricks: to gain root access within the chroot and to disable dropping
of capabilities.


Hmm, correct me if I'm wrong, but in this particular case, we're not
inside chroot() cage nor ntalkd is not using capabilities. In next post,
I've described we don't have enough space to overwrite anything
interesting on stack, at least when we can overwrite it only with small
integer. I'd appreciate if you tell me what I've missed.

_______________________________________________________
Michal Zalewski * [lcamtuf () ags pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

Current thread:

Network File Resource Vulnerability, (continued)
- - - Network File Resource Vulnerability Eric Hacker (Mar 09)
    - Re: Network File Resource Vulnerability David LeBlanc (Mar 11)
    - misc. cross site scripting issues Marc Slemko (Mar 12)
    - a few bugs ... Maurycy Prodeus (Mar 13)
    - Re: a few bugs ... Thomas Roessler (Mar 15)
    - Re: a few bugs ... Michal Zalewski (Mar 17)
    - Patch: ip_masq_ftp / Linux 2.2.x (extended FTP ALG vulnerabilty) Bjarni R. Einarsson (Mar 20)
    - Microsoft Security Bulletin (MS00-018 Microsoft Product Security (Mar 20)
    - Re: a few bugs ... Coke (Mar 20)
    - Re: a few bugs ... Daniel Jacobowitz (Mar 20)
    - Re: a few bugs ... Michal Zalewski (Mar 20)
    - DoS with NAVIEG PAUL VanDyke (Mar 17)
    - [ANNOUNCE] strace for NT tsabin () RAZOR BINDVIEW COM (Mar 13)
    - Linux patch for blocking buffer overflow based attacks massimo () IAC RM CNR IT (Mar 10)
    - ICQ remote DoS Philip Stoev (Mar 10)
  - TESO advisory -- atsadc krahmer () CS UNI-POTSDAM DE (Mar 11)
  - Re: [ Hackerslab bug_paper ] Linux printtool get printer passwor Brian Knotts (Mar 13)
- Enumerate Root Web Server Directory Vulnerability for IIS 4.0 Jason Lutz (Mar 09)
  - Re: Enumerate Root Web Server Directory Vulnerability for IIS 4.0 Chris Paget (Mar 17)
  - SQL Server Vulnerability details Chip Andrews (Mar 18)
- Re: PGP Signatures security BUG! Florian Weimer (Mar 10)

(Thread continues...)