Home page logo

bugtraq logo Bugtraq mailing list archives

Re: a few bugs ...
From: lcamtuf () DIONE IDS PL (Michal Zalewski)
Date: Sat, 18 Mar 2000 18:44:47 +0100

On Fri, 17 Mar 2000, Michal Zalewski wrote:

<...> assuming there's no interesting data in daemon address space (I
don't think so - it is not performing any authorization, etc, only
reads utmp entries), I don't think it might lead to anything except
crash. And, as it's started from inetd, I don't think it might have
any security implications ;)

...after getting priv response from z33d...

Ok, z33d, sorry, I should think twice before sending flames :) Of course,
there's one way to cause some mess - with %n format string. Unfortunately,
ntalk request packet is relatively small and fixed-size, so we have just a
little stack space to play with - we might skip just a few dwords with eg
'%d', but we're limited with max size of caller's login, which must fit in
this packet. In range of 6 dwords on stack (NAME_SIZE=12), I can't see any
address or variable, which can be altered with relatively small dword
(with 3 higher bytes unset, as request message isn't long) and result in
anything else than crash. Unfortunately, we can't even hit in the middle
of some address to and affect only less important byte(s).

So, first of all I'd like to say I'm sorry for my previous response, but,
in fact, I still believe this bug cannot be exploited in any way, and it
has no security implications.

Michal Zalewski * [lcamtuf () ags pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

  By Date           By Thread  

Current thread:
  • Re: a few bugs ... Michal Zalewski (Mar 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]