Home page logo

bugtraq logo Bugtraq mailing list archives

Re: a few bugs ...
From: lcamtuf () DIONE IDS PL (Michal Zalewski)
Date: Tue, 21 Mar 2000 08:49:04 +0100

On Mon, 20 Mar 2000, Daniel Jacobowitz wrote:

Actually, it was exploitable, if you are referring to the
username-passed-in-format-string bit.  In my efforts for
crack.linuxppc.org (which I have not gotten around to writing up yet,
but will - there were a few interesting tidbits), I used that for two
tricks: to gain root access within the chroot and to disable dropping
of capabilities.

Hmm, correct me if I'm wrong, but in this particular case, we're not
inside chroot() cage nor ntalkd is not using capabilities. In next post,
I've described we don't have enough space to overwrite anything
interesting on stack, at least when we can overwrite it only with small
integer. I'd appreciate if you tell me what I've missed.

Michal Zalewski * [lcamtuf () ags pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]