Vulnerability Development mailing list archives
Re: su core dumped with signal 3. BSD/OS 3.0, 3.1
From: Joel Eriksson <je-vulndev () bitnux com>
Date: Thu, 13 Mar 2003 18:52:11 +0100
On Wed, Mar 12, 2003 at 09:26:22PM +0100, Marco Ivaldi wrote:
As to exploiting, no, I don't think you can exploit this: the core here is a result of the kernel processing a signal sent to the process, not of some overflow or invalid memory access or similar.Just wondering. What happens if you create a symlink to .rhosts and manage to write a "+ +" in memory before coredump (i've not checked if it's possible in this particular situation)? Or maybe symlinking /etc/passwd and causing a DoS condition? This is just an example, but i'm not so sure it's not possible to exploit this behaviour of a setuid program... Please correct me if i'm plain wrong:)
This used to work a few years ago anyway. I would think recent versions of Unix-OS:s have fixed that rather trivial flaw, but it's worth trying.
:raptor Antifork Research, Inc. 0xdeadbeef | raptor's labs http://www.antifork.org http://www.0xdeadbeef.info
-- Joel Eriksson ------------------------------------------------- Security Research & Systems Development at Bitnux PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1 A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1 -------------------------------------------------
Current thread:
- su core dumped with signal 3. BSD/OS 3.0, 3.1 Ivan Aleksandrov (Mar 11)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Peter Pentchev (Mar 12)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Marco Ivaldi (Mar 13)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Joel Eriksson (Mar 13)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Marco Ivaldi (Mar 13)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Peter Pentchev (Mar 12)