[1090] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] vulnerability in splitvt

daemon@ATHENA.MIT.EDU (David Holland)
Tue Aug 27 09:35:32 1996

From: David Holland <dholland@hcs.HARVARD.EDU>
To: markjr@shmooze.net (Stunt Pope)
Date: Mon, 26 Aug 1996 15:31:43 -0400 (EDT)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199608260132.VAA02026@shmooze.net> from "Stunt Pope" at Aug 25, 96 09:32:09 pm


 > This may or may not have been reported already. I only
 > found out about this list _after_ I had been hacked :<

This is old - and I think an announcement of this bug was even posted
to comp.os.linux.announce.

The exploit's called "eggplant", and while I don't have a copy handy
I'm sure half a dozen people will mail it to you.

Basically it writes past the end of a buffer on the stack in splitvt;
this corrupts a function return address and lets the included code
(which is what's used to fill up the buffer) execute. That code does,
more or less, setuid(0); execl("/bin/sh", "/bin/sh", NULL).

-- 
   - David A. Holland          | Number of words in the English language that
     dholland@hcs.harvard.edu  | exist because of typos or misreadings: 381

home help back first fref pref prev next nref lref last post