Re: Unsafe Signal Handling unix_chkpwd?

[Michal Zalewski <lcamtuf () bos bindview com>]

On Thu, 31 May 2001, Charles Stevenson wrote:

> Hi, great paper.  I just started hammering at all the standard suid
> binaries and at the moment I'm trying to determine if unix_chkpwd is
> exploitable:

At least on Linux, it might be exploitable due to vsyslog() call, which
creates temporary buffers on heap (in this particular implementation). At
the same time, as this vsyslog() is all we have, that would require
in-depth analysis of heap contents at the time the attack could be
performed, and in-depth analysis of malloc() behavior in order to figure
out if there is any heap modification phase that can be interrupted to get
exploitable condition. My guess is that it is worth trying.

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=