Re: /bin/su local libc exploit yielding a root shell

[Matt Wilson <msw () REDHAT COM>]

I have been able to verify this exploit on stock Red Hat Linux 6.2,
and have verified that the rogue message catalog is not read when the
errata for glibc at:

http://www.redhat.com/support/errata/RHSA-2000-057-04.html

is applied.

Again - Red Hat, Inc. strongly recommends that all users upgrade to
the glibc errata in RHSA-2000-057-04 as it protects you against this
and similar exploits.

Cheers,

Matt
msw () redhat com

On Tue, Oct 03, 2000 at 12:25:14PM +0200, Guido Bakker wrote:
> /*
>    Hail to thee dear readers,
>
>    This is yet another /bin/su + buggy locale functions in libc exploit.
>    The reason for writing it is rather easy to explain, all existing versions
>    of "su" format bug exploits were very unreliable and tedious to use - the
>    number of addresses on the stack, and thus the number of %.8x signs to use
>    varied heavily, as well as the alignment. Return adresses were expected to
>    be specified on the command line, which is imho an idiotic thing to combine
>    with all the other options that also are to be 'brute forced'.
>    Finding these values by hand is a too tedious thing to do and costs the
>    average script-kid way too much time. I hoped to solve this in this exploit
>    and have found it to work on many different machines so far by using a
>    small brute forcing perl wrapper.

<code snipped>

> | Guido Bakker <guidob () mainnet nl>
> | Network Manager
>
> MainNet BV, http://www.mainnet.nl
> Phone: +31 (0)20 6133505
> Fax: +31 (0)20 6135640