Full Disclosure mailing list archives

Re: [+] Vulnerability in less version 394 and prior

From: fdlist () digitaloffense net
Date: Tue, 30 Oct 2007 23:41:39 -0500

$ LESSOPEN=/bin/sh less /dev/null
sh-3.2$

On Tuesday 30 October 2007, glopeda.com wrote:

There exists a format strings bug in the less application present in
most flavors of UNIX.  It could be leveraged for privilege escalation
if the calling application is setuid/setgid and does not properly drop
privileges.

Meager demonstration:
$ export LESSOPEN=%s%n
$ less somefile
Segmentation fault


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

[+] Vulnerability in less version 394 and prior glopeda . com (Oct 30)
- Re: [+] Vulnerability in less version 394 and prior fdlist (Oct 30)
- Re: [+] Vulnerability in less version 394 and prior Jonathan Smith (Oct 30)
- Message not available
  - Re: [+] Vulnerability in less version 394 and prior Jeffrey Denton (Oct 31)
    - Re: [+] Vulnerability in less version 394 and prior glopeda . com (Oct 31)