Full Disclosure mailing list archives
Re: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow
From: sebastian () wolfgarten com
Date: Wed, 15 Aug 2007 20:10:47 +0200 (CEST)
But Joey as I said before, maybe somebody assigned SUID root privileges to the scanner to enable ordinary users to run the scanner? I know this is not the case by default but it might happen (and will result in a local privilege escalation). For instance, in a similar buffer overflow that I discovered earlier this year in Trend Micro's virus scanner this was the exact problem... Best regards, Sebastian
You are playing handpuppet of the jackass, actually. Check PATH_MAX in the Linux Kernel. J On Wed, 15 Aug 2007 12:53:18 -0400 monikerd <monikerd () gmail com> wrote:Joey Mengele wrote:Where does security come into play here? This is a local crashin anon setuid binary. I would like to hear your remote exploitationscenario. Or perhaps your local privilege escalation scenario? JI'll play advocate of the devil then. Imagine a wiki running on a webserver, that allows anybody to create new topics which end up in /articles/[Topic].txt with sufficient .htaccess stuff in /articles to twart most usual attacks .. If you could create an arbitrary long topic, then you *might* be able to execute some code, when some cronjob would scan the drive and come across the file? creating files is a different privilege than running code. Hence imho it's not a bogus advisory. another possibility would be to create an archive that extracts an incredibly long filename perhaps? scanning an archive before/after it's extracted is a pretty common event i guess.-- Truck Rentals - Click Here. http://tagline.hushmail.com/fc/Ioyw6h4deMfubiVvi7gHv4s7CdhKJ8kEwJlfzSquIJmjLCuoP1m9Dv/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow Sebastian Wolfgarten (Aug 15)
- Re: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow Harry Muchow (Aug 15)
- Re: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow Joseph Hick (Aug 15)
- <Possible follow-ups>
- Re: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow Joey Mengele (Aug 15)
- Re: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow monikerd (Aug 15)
- Re: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow Joey Mengele (Aug 15)
- Re: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow sebastian (Aug 15)
- Re: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow 3APA3A (Aug 16)
- Re: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow Harry Muchow (Aug 15)