Vulnerability Development mailing list archives

Re: su core dumped with signal 3. BSD/OS 3.0, 3.1

From: Joel Eriksson <je-vulndev () bitnux com>
Date: Thu, 13 Mar 2003 18:52:11 +0100

On Wed, Mar 12, 2003 at 09:26:22PM +0100, Marco Ivaldi wrote:

As to exploiting, no, I don't think you can exploit this: the core here
is a result of the kernel processing a signal sent to the process, not
of some overflow or invalid memory access or similar.


Just wondering. What happens if you create a symlink to .rhosts and manage
to write a "+ +" in memory before coredump (i've not checked if it's
possible in this particular situation)? Or maybe symlinking /etc/passwd
and causing a DoS condition? This is just an example, but i'm not so sure
it's not possible to exploit this behaviour of a setuid program...

Please correct me if i'm plain wrong:)


This used to work a few years ago anyway. I would think recent versions
of Unix-OS:s have fixed that rather trivial flaw, but it's worth trying.

:raptor
Antifork Research, Inc.                         0xdeadbeef | raptor's labs
http://www.antifork.org                         http://www.0xdeadbeef.info


-- 
Joel Eriksson
-------------------------------------------------
Security Research & Systems Development at Bitnux
PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1
A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1
-------------------------------------------------

Current thread:

su core dumped with signal 3. BSD/OS 3.0, 3.1 Ivan Aleksandrov (Mar 11)
- Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Peter Pentchev (Mar 12)
  - Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Marco Ivaldi (Mar 13)
    - Re: su core dumped with signal 3. BSD/OS 3.0, 3.1 Joel Eriksson (Mar 13)