Vulnerability Development mailing list archives
Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61)
From: 11a () GMX NET (Bluefish)
Date: Sun, 26 Mar 2000 11:22:23 +0200
Uhm, it was my impression from the previous mails that no one could reproduce the problem described in the original email, or am I wrong? The mail said redhat 6.1, but a redhat 6.1 installation uses /var/spool/mail, I think it is something funny here? His id command does not either behave as it does with rh 6.1 out of the box! And the list goes on, my installation sets mail to group 12. So, I think that either 1) his box is rooted 2) he's faking it, making fun of us or something. Now watch me trying to reproduce the problem: [admin@blue admin]$ cat dotid.c ; cc -c dotid.c ; cc -o dotid dotid.o ; mv dotid /var/spool/mail/admin ; chmod 4700 /var/spool/mail/admin ; id ; /var/spool/mail/admin void main() { setuid( 514 ); setgid( 12 ); system("/bin/sh"); } dotid.c: In function `main': dotid.c:2: warning: return type of `main' is not `int' uid=514(admin) gid=100(users) groups=100(users),514(admin) bash$ id uid=514(admin) gid=100(users) groups=100(users),514(admin) bash$ Unless there's something wrong with my c-code (I'm *not* very good with c) there's no real vulnerability at work? The exploit does *not* work with redhat 6.1, and the mail stating that it was for rh 6.1 was executing on an environment far away from rh 6.1, possibly a rooted box. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61) Devil Man (Mar 24)
- Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61) Bluefish (Mar 26)
- Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61) Michal Zalewski (Mar 09)
- Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61) Bluefish (Mar 26)