Home page logo
/

bugtraq logo Bugtraq mailing list archives

glibc/locale sploit for ImmunixOS
From: Mariusz Woloszyn <emsi () IPARTNERS PL>
Date: Tue, 19 Sep 2000 23:15:18 +0200


I just developed the first publicly known sploit that bypases StackGuard
protection in real world. I decided to publish it as the patch for glibc
ImmunixOS is out. It's also the proof of concept described about year ago
in our (my and Bulba's) Phrack article published in May this year.
[http://phrack.infonexus.com/search.phtml?view&article=p56-5]

The sploit is as simple as possible, it does not take any arguments and
produces shell with euid==0. All addresses are fixed (stack and env).
The exploiting string overwrites exit() GOT entry and makes it point to
our shellcode (it's sufficient if the stack is executable) just like
we described it in phrack article long time ago :)

The exploit won't work if glibc is patched (ImmunixOS patched glibc can be
found at:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/
        glibc-2.1.3-21_StackGuard.i386.rpm
        glibc-devel-2.1.3-21_StackGuard.i386.rpm
        glibc-profile-2.1.3-21_StackGuard.i386.rpm
        nscd-2.1.3-21_StackGuard.i386.rpm).


I would like to remind that by using StackGuarded binaries you're still
adding extra security level that can be bypassed ONLY under certain
circumstances!

Greetings go to all best Polish security specialists!

Regards,

--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners, GTS Poland

Attachment: 33_su.c
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault