|
Vulnerability Development
mailing list archives
Re: nonsuid overflows... still at risk?
From: "Andrew R. Reiter" <arr () watson org>
Date: Wed, 6 Jun 2001 03:20:00 -0400 (EDT)
Any bug in a piece of code, regardless of use (to some extent), should
also be considered a security risk.
On Tue, 5 Jun 2001, KF wrote:
Here are several binaries on SCO that are not suid however seem to have
classic
overflows... I was wondering if these could be exploited due to the fact
that a number
of programs calls them. vi pg and more are the binaries in question.
# SCO_SV frodev 3.2 5.0.6 i386
# TERM=`perl -e 'print "A" x 7000'`
# export TERM
# vi
Memory fault - core dumped
# pg
Memory fault - core dumped
# more
Memory fault - core dumped
Perhaps vi is exploitable via a suid program calling it?
# ls -al /usr/bin/crontab
lrwxrwxrwx 1 root root 39 Mar 26 08:23 /usr/bin/crontab
-> /opt/K/SCO/Unix/5.0.6Ga/usr/bin/crontab
# ls -al /opt/K/SCO/Unix/5.0.6Ga/usr/bin/crontab
---x--s--x 1 bin cron 39940 Jul 28 2000
/opt/K/SCO/Unix/5.0.6Ga/usr/bin/crontab
# ls core*
core
# rm core
# crontab -e
note there was no message about it but there is a new core file.
# ls core
core
input anyone?
-KF
*-------------.................................................
| Andrew R. Reiter
| arr () fledge watson org
| "It requires a very unusual mind
| to undertake the analysis of the obvious" -- A.N. Whitehead
 By Date 
By Thread
Current thread:
- Re: TCSH problems?, (continued)
| 
Intro
