Full Disclosure: Re: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Joey Mengele,

Of cause, it's mitigating factor. But:

default  PATH_MAX  under  Linux  is  4096,  and  it's not hard to create
file/folder   with   longer   path,   it's  impossible to access it,

E.g. folder with path longer than PATH_MAX:

bash$ pwd
pwd: could not get current directory: getcwd: cannot access parent directories: Result too large
bash$ ls
job-working-directory: could not get current directory: getcwd: cannot access parent directories: Result too large

Access   is  not  required  in  this  case.  It's  possible  to  create
_searchable_ files with  the  length  up  to  approximately  MAX_PATH  +
NAME_MAX. It's more than required to exploit (4128).

--Wednesday, August 15, 2007, 9:34:50 PM, you wrote to joey.mengele () hushmail com:

JM> You are playing handpuppet of the jackass, actually. Check PATH_MAX 
JM> in the Linux Kernel.

JM> J

JM> On Wed, 15 Aug 2007 12:53:18 -0400 monikerd <monikerd () gmail com> 
JM> wrote:
> > Joey Mengele wrote:
> > > Where does security come into play here? This is a local crash 
> > in a 
> > > non setuid binary. I would like to hear your remote exploitation 
> > > scenario. Or perhaps your local privilege escalation scenario?
> > >
> > > J
> > >
> > >   
> > I'll play advocate of the devil then. Imagine a wiki running on a 
> > webserver,
> >
> > that allows anybody to create new topics which end up in
> > /articles/[Topic].txt
> > with sufficient .htaccess stuff in /articles to twart most usual 
> > attacks ..
> >
> >
> > If you could create an arbitrary long topic, then you *might*
> > be able to execute some code, when some cronjob would scan the 
> > drive
> > and come across the file?
> >
> > creating files is a different privilege than  running code. Hence 
> > imho
> > it's not a bogus advisory.
> >
> >
> > another possibility would be to create an archive that extracts an
> > incredibly
> > long filename perhaps? scanning an archive before/after it's 
> > extracted
> > is a pretty common event i guess.
JM> --
JM> Click for free information on accounting careers, $150 hour potential.
JM> http://tagline.hushmail.com/fc/Ioyw6h4dCaNyraR2kkZ8KcMCiTJDWZokEDbswig9iZ5cvsPFFYamWc/

JM> _______________________________________________
JM> Full-Disclosure - We believe in it.
JM> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
JM> Hosted and sponsored by Secunia - http://secunia.com/


-- 
~/ZARAZA http://securityvulns.com/
...без дубинки никогда не принимался он за программирование. (Лем)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/