|
Bugtraq
mailing list archives
Re: /bin/su local libc exploit yielding a root shell
From: Matt Wilson <msw () REDHAT COM>
Date: Wed, 4 Oct 2000 00:59:35 -0400
I have been able to verify this exploit on stock Red Hat Linux 6.2,
and have verified that the rogue message catalog is not read when the
errata for glibc at:
http://www.redhat.com/support/errata/RHSA-2000-057-04.html
is applied.
Again - Red Hat, Inc. strongly recommends that all users upgrade to
the glibc errata in RHSA-2000-057-04 as it protects you against this
and similar exploits.
Cheers,
Matt
msw () redhat com
On Tue, Oct 03, 2000 at 12:25:14PM +0200, Guido Bakker wrote:
/*
Hail to thee dear readers,
This is yet another /bin/su + buggy locale functions in libc exploit.
The reason for writing it is rather easy to explain, all existing versions
of "su" format bug exploits were very unreliable and tedious to use - the
number of addresses on the stack, and thus the number of %.8x signs to use
varied heavily, as well as the alignment. Return adresses were expected to
be specified on the command line, which is imho an idiotic thing to combine
with all the other options that also are to be 'brute forced'.
Finding these values by hand is a too tedious thing to do and costs the
average script-kid way too much time. I hoped to solve this in this exploit
and have found it to work on many different machines so far by using a
small brute forcing perl wrapper.
<code snipped>
| Guido Bakker <guidob () mainnet nl>
| Network Manager
MainNet BV, http://www.mainnet.nl
Phone: +31 (0)20 6133505
Fax: +31 (0)20 6135640
 By Date 
By Thread
Current thread:
|
Intro
