Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Buffer overflow vulnerability in action argument of dtaction

From: w3 <warning3 () nsfocus com>
Date: Tue, 16 Oct 2001 20:16:47 +0800

It looks dtaction has dropped the root privilege(setuid(getuid()))
before overflow happens. So this bug won't give you any more privilege.

[Solaris 7, SPARC]
[root@ /]> truss -t'!all' -u libc:getuid,setuid /usr/dt/bin/dtaction foo `perl -e 'print "A"x4000'`

-> libc:getuid(0x4, 0x1, 0x0, 0xfed78458)
<- libc:getuid() = 0
-> libc:getuid(0x1, 0x3, 0xff31c258, 0x13a18)
<- libc:getuid() = 0
-> libc:setuid(0x0, 0x0, 0xffbeedf8, 0x24400)
<- libc:setuid() = 0
-> libc:getuid(0x4, 0x1, 0x0, 0xfed78458)
<- libc:getuid() = 0
    Incurred fault #6, FLTBOUNDS  %pc = 0xFEEB6C50
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41413D41
    Received signal #11, SIGSEGV [default]
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41413D41
        *** process killed ***


---Original Message---
From : <bknight () iland co kr>
Date : Tue, 16 Oct 2001 06:57:24 +0900 (KST)



r0ar Security Advisory
October 5, 2001

Buffer overflow vulnerability in action argument of dtaction

[...snip...]


---
http://www.r0ar.org (formely known as ksecurity)

e-mail : bknight () r0ar org







 
Regards,
warning3 <warning3 () nsfocus com>
http://www.nsfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: