Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

[linux-security] write(1) leak
From: dholland () EECS HARVARD EDU (David Holland)
Date: Mon, 20 Jan 1997 13:53:26 -0500


Some versions (the util-linux version, but not the netwrite or netkit
versions) of /usr/bin/write have a buffer overrun problem that is
almost certainly exploitable. Note that this gives access to the tty
group, but not (directly) root.

The fix is to change the two sprintfs to snprintfs. Patches have been
mailed to the maintainer.


I should note for the bugtraq audience (that message was intended for
linux-security only) that netbsd is affected, freebsd and openbsd are
not. At least the -current versions. YMMV.

Also it was brought to my attention that you can't actually perform
the buffer overrun because the overflow string gets checked against
utmp before it has a chance to overflow.

Sorry about the false alarm.

--
   - David A. Holland             |    VINO project home page:
     dholland () eecs harvard edu    | http://www.eecs.harvard.edu/vino

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]