Bugtraq mailing list archives
Re: /bin/su local libc exploit yielding a root shell
From: Matt Wilson <msw () REDHAT COM>
Date: Wed, 4 Oct 2000 00:59:35 -0400
I have been able to verify this exploit on stock Red Hat Linux 6.2, and have verified that the rogue message catalog is not read when the errata for glibc at: http://www.redhat.com/support/errata/RHSA-2000-057-04.html is applied. Again - Red Hat, Inc. strongly recommends that all users upgrade to the glibc errata in RHSA-2000-057-04 as it protects you against this and similar exploits. Cheers, Matt msw () redhat com On Tue, Oct 03, 2000 at 12:25:14PM +0200, Guido Bakker wrote:
/* Hail to thee dear readers, This is yet another /bin/su + buggy locale functions in libc exploit. The reason for writing it is rather easy to explain, all existing versions of "su" format bug exploits were very unreliable and tedious to use - the number of addresses on the stack, and thus the number of %.8x signs to use varied heavily, as well as the alignment. Return adresses were expected to be specified on the command line, which is imho an idiotic thing to combine with all the other options that also are to be 'brute forced'. Finding these values by hand is a too tedious thing to do and costs the average script-kid way too much time. I hoped to solve this in this exploit and have found it to work on many different machines so far by using a small brute forcing perl wrapper.
<code snipped>
| Guido Bakker <guidob () mainnet nl> | Network Manager MainNet BV, http://www.mainnet.nl Phone: +31 (0)20 6133505 Fax: +31 (0)20 6135640
Current thread:
- /bin/su local libc exploit yielding a root shell Guido Bakker (Oct 03)
- Re: /bin/su local libc exploit yielding a root shell Matt Wilson (Oct 04)