Full Disclosure mailing list archives
Local Root Exploit
From: full-disclosure () lists netsys com (Roman Drahtmueller)
Date: Sat, 10 Aug 2002 17:16:15 +0200 (MEST)
To: vulnwatch () vulnwatch org, bugtraq () securityfocus com, vuln-dev () securityfocus com, lance () honeynet org, full-disclosure () lists netsys com, submissions () packetstormsecurity org Date: Fri, 9 Aug 2002 15:54:32 -0700 Subject: [Full-disclosure] Local Root Exploit Reply-To: full-disclosure () lists netsys com
This exploit has been published _after_ SuSE Security have published the packages for the bug on Thursday, August 8, 18:05MEST. I don't want to claim that gobbles learnt about the bug from the changelogs, but it definitely looks like. It is correct that finding format string bugs should be left to the professionals. This bug has been found by Sebastian Krahmer, SuSE Security, during an internal code audit. Urgent and adverse matters kept us from publishing it earlier. It looks like it was early enough. Please update using the following command: rpm -Fhv ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/i4l-2002.7.31-0.i386.rpm ipppd is not installed setuid root any more with this update package. Besides, I don't think that it is appropriate to carry out a catfight on a security list.
* * GENERIC FORMATSTRING EXPLOITS ARE SUPER DUPER FUN * * We're surprised that format bugs are allowed in 7350linux, but no one * is perfect. Finding format bugs is a difficult task, and should be left * to the professionals. A little known fact -- Paul Vixie invented * insecure programming. We wanted to get this bug squashed before some * "researcher" from snosoft.com discovered it and tried to make some money * off it. Help us in our mission to eliminate the existance of format bugs * in code. * * Greets:
[...] Thanks, Roman. -- - - | Roman Drahtmüller <draht () suse de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
Current thread:
- Local Root Exploit full-disclosure () lists netsys com (Aug 09)
- Local Root Exploit ATD (Aug 09)
- Local Root Exploit John (Aug 09)
- Local Root Exploit Lupe Christoph (Aug 10)
- Local Root Exploit KF (Aug 10)
- Local Root Exploit Steve (Aug 12)
- Local Root Exploit John (Aug 09)
- Local Root Exploit ATD (Aug 09)
- Local Root Exploit Roman Drahtmueller (Aug 10)
- <Possible follow-ups>
- Local Root Exploit Schmehl, Paul L (Aug 10)
- Local Root Exploit Alan Rouse (Aug 12)
- Local Root Exploit Ulf H{rnhammar (Aug 13)
- Local Root Exploit Alan Rouse (Aug 14)
- Local Root Exploit Nicolas Couture (Aug 14)