Vulnerability Development mailing list archives
Re: m4 and format strings
From: Matt Zimmerman <mdz () csh rit edu>
Date: Wed, 27 Jun 2001 14:31:13 -0400
On Wed, Jun 27, 2001 at 12:52:40AM -0700, Samy Kamkar [CommPort5] wrote:
[elguapo@linux elguapo]$ m4 %x,%x,%x,%x,%x,%x,%x m4: 0,bffff818,4000d2ce,805df78,8048c56,4002e0bc,4014af2c: No such file or directory can anyone think of a situation where this could cause root to be exploitated... m4 is not suid to my understanding.Since it's not suid by default, you can't gain root from it directly. If another program (that is suid) is using it, then you might be able to depending on how it's used...also, that's assuming that format string bug is actually exploitable. It's only opening that file so I doubt you can do any exploitation with it...
If you can control the filename that is passed to m4 by a privileged program, there are far easier ways to gain privileges than trying to exploit a format string bug. Instead, pass the name of a file that you created, with contents like: syscmd(touch /evil) -- - mdz
Current thread:
- m4 and format strings KF (Jun 26)
- Re: m4 and format strings Jarno Huuskonen (Jun 27)
- Re: m4 and format strings Samy Kamkar [CommPort5] (Jun 27)
- Re: m4 and format strings Robert van der Meulen (Jun 27)
- Re: m4 and format strings Samy Kamkar [CommPort5] (Jun 27)
- Re: m4 and format strings KF (Jun 27)
- Re: m4 and format strings Matt Zimmerman (Jun 27)
- Re: m4 and format strings Robert van der Meulen (Jun 27)