Re: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow

[sebastian () wolfgarten com]

But Joey as I said before, maybe somebody assigned SUID root privileges to
the scanner to enable ordinary users to run the scanner? I know this is
not the case by default but it might happen (and will result in a local
privilege escalation). For instance, in a similar buffer overflow that I
discovered earlier this year in Trend Micro's virus scanner this was the
exact problem...

Best regards,
Sebastian

> You are playing handpuppet of the jackass, actually. Check PATH_MAX
> in the Linux Kernel.
>
> J
>
> On Wed, 15 Aug 2007 12:53:18 -0400 monikerd <monikerd () gmail com>
> wrote:
> > Joey Mengele wrote:
> > > Where does security come into play here? This is a local crash
> > in a
> > > non setuid binary. I would like to hear your remote exploitation
> >
> > > scenario. Or perhaps your local privilege escalation scenario?
> > >
> > > J
> > I'll play advocate of the devil then. Imagine a wiki running on a
> > webserver,
> >
> > that allows anybody to create new topics which end up in
> > /articles/[Topic].txt
> > with sufficient .htaccess stuff in /articles to twart most usual
> > attacks ..
> >
> >
> > If you could create an arbitrary long topic, then you *might*
> > be able to execute some code, when some cronjob would scan the
> > drive
> > and come across the file?
> >
> > creating files is a different privilege than  running code. Hence
> > imho
> > it's not a bogus advisory.
> >
> >
> > another possibility would be to create an archive that extracts an
> > incredibly
> > long filename perhaps? scanning an archive before/after it's
> > extracted
> > is a pretty common event i guess.
>
> --
> Truck Rentals - Click Here.
> http://tagline.hushmail.com/fc/Ioyw6h4deMfubiVvi7gHv4s7CdhKJ8kEwJlfzSquIJmjLCuoP1m9Dv/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/