Full Disclosure mailing list archives
Bug in "lockdev" on Redhat 8.x
From: Day Jay <d4yj4y () yahoo com>
Date: Fri, 29 Nov 2002 00:20:46 -0800 (PST)
Chung's Donut Shop Release ========================== www.chungsdonutshop.com Bug in "lockdev" on Redhat 8.x ------------------------------- by d4yj4y d4yj4y () chungsdonutshop com "lockdev" on Redhat 8.x segfaults with a default switch without any parameters. lockdev is setuid "lock". If successfully exploited could grant different id. Per the documentation: The lockdev functions act on device locks normally located in /var/lock. The lock is acquired creating a pair of files hardlinked between them and named after the device name.... Anyway, the program must not be called often by itself (assumption). It's probably called by other prorams but anyway, it doesn't even validate it's options well. See below: [root@yourmom]# /usr/sbin/lockdev -l Segmentation fault [root@yourmom]# gdb /usr/sbin/lockdev GNU gdb Red Hat Linux (5.2.1-4) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (no debugging symbols found)... (gdb) set args -l (gdb) run Starting program: /usr/sbin/lockdev -l (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x4207a893 in strrchr () from /lib/i686/libc.so.6 (gdb) I haven't been able to overwrite the eip, and taking a look at the strrchr() function told me why it would be hard. I don't know if this can even be exploited but it's still a bug. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Bug in "lockdev" on Redhat 8.x Day Jay (Nov 29)