Full Disclosure mailing list archives
Re: /bin/mail & glibc
From: Mark <mark () vulndev org>
Date: 29 May 2003 12:39:08 +0100
Sorry I am immensely bored today so actually reading email! its actually a problem with /bin/mail and how it handles the CC field. /bin/mail -s Test -c `perl -e 'print "A" 8224'` root@localhost segfaults and overwrites eip at 8224 characters (segfaults without eip at 8220) dont have to be using zsh to create this problem. there isnt really alot of worry unless /bin/mail was setuid/setgid... easy to spawn a shell.. I've put a messy perl exploit together (www.vulndev.org) run it, insert your '.' and <CR> and you should get a shell. -- Mark www.vulndev.org 'If ignorant both of the enemy and yourself, you are certain in every battle to be in peril' If you know yourself, knowing the enemy does not matter. -- Sun Tzu - The Art of War (Adapted)
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- /bin/mail & glibc uk2sec (May 29)
- <Possible follow-ups>
- Re: /bin/mail & glibc Mark (May 29)