Vulnerability Development mailing list archives
Re: procmail again
From: Valdis.Kletnieks () vt edu
Date: Sun, 19 Oct 2003 02:49:13 -0400
On Sat, 18 Oct 2003 22:34:14 PDT, ned said:
libd.so.1 is the sharefuzz getenv() hooker which just returns big buffers. i no longer have a redhat 7.1 machine and that information is little over 12 months old therefore someone with a rh 7.1 system please send in your
Oh.. getenv hooker. Hmm.. Might be fixed by:
2001/06/28: v3.20
Changes to procmail:
(....)
- Drop duplicate and malformed environment entries
but trying to develop anything out of it will be quite the challenge - you'll need
to find a procmail 3.14 running on a box that doesn't leak like swiss cheese through
other holes - I'd not trust *anything* on an unpatched RH7.1 that's on a public net.
I mean, how do you know some hacker hasn't nailed libc.so with some code that
does:
if (!geteuid() && !strcmp(argv[0],"procmail")) {.....
to re-insert a backdoor into the system?
If your research box is very old and/or unpatched, and isn't in a strictly
controlled lab environment, trying to research can be interesting because you
can't be sure you aren't tripping over somebody else's rootkit.. ;)
(What? You wanted more profound insight at 2:45AM? ;)
Attachment:
_bin
Description:
Current thread:
- procmail again ned (Oct 18)
- Re: procmail again Valdis . Kletnieks (Oct 18)
- Re: procmail again ned (Oct 19)
- Re: procmail again Valdis . Kletnieks (Oct 19)
- Re: procmail again ned (Oct 19)
- Re: procmail again Valdis . Kletnieks (Oct 18)
