Bugtraq mailing list archives

glibc/locale sploit for ImmunixOS

From: Mariusz Woloszyn <emsi () IPARTNERS PL>
Date: Tue, 19 Sep 2000 23:15:18 +0200


I just developed the first publicly known sploit that bypases StackGuard
protection in real world. I decided to publish it as the patch for glibc
ImmunixOS is out. It's also the proof of concept described about year ago
in our (my and Bulba's) Phrack article published in May this year.
[http://phrack.infonexus.com/search.phtml?view&article=p56-5]

The sploit is as simple as possible, it does not take any arguments and
produces shell with euid==0. All addresses are fixed (stack and env).
The exploiting string overwrites exit() GOT entry and makes it point to
our shellcode (it's sufficient if the stack is executable) just like
we described it in phrack article long time ago :)

The exploit won't work if glibc is patched (ImmunixOS patched glibc can be
found at:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/
        glibc-2.1.3-21_StackGuard.i386.rpm
        glibc-devel-2.1.3-21_StackGuard.i386.rpm
        glibc-profile-2.1.3-21_StackGuard.i386.rpm
        nscd-2.1.3-21_StackGuard.i386.rpm).


I would like to remind that by using StackGuarded binaries you're still
adding extra security level that can be bypassed ONLY under certain
circumstances!

Greetings go to all best Polish security specialists!

Regards,

--
Mariusz WoÅ‚oszyn
Internet Security Specialist, Internet Partners, GTS Poland

Attachment: 33_su.c
Description:

Current thread:

glibc/locale exploit for linux/x86 Warning3 (Sep 06)
- Re: glibc/locale exploit for linux/x86 Olaf Kirch (Sep 07)
- <Possible follow-ups>
- Re: glibc/locale exploit for linux/x86 Raúl Saura (Sep 07)
  - glibc/locale sploit for ImmunixOS Mariusz Woloszyn (Sep 20)