[509] in linux-security and linux-alert archive
Re: Avalon Release
daemon@ATHENA.MIT.EDU (Razvan STANESCU)
Sat Dec 9 21:30:05 1995
Date: Sat, 9 Dec 1995 04:09:02 +0200 (EET)
From: Razvan STANESCU <pappy@nls.pcnet.ro>
To: linux-security@tarsier.cv.nrao.edu, linux-alert@tarsier.cv.nrao.edu
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 7 Dec 1995, Baba Z Buehler wrote:
> root <root@crimson.cadvision.com> writes:
> > Affected Program: splitvt(1)
> >
> > Affected Operating Systems: Linux 2-3.X
^^^^^
> > Exploitation Result: Local users can obtain superuser privelages.
> >
> > Bug Synopsis: A stack overflow exists via user defined unbounds checked
> > user supplied data sent to a sprintf().
> >
>
> There is no Linux 2-3.X. It would be much more helpfull if you would list
... agree
> versions of the kernel, libc and program that were used to exploit the hole.
Sorry, on my system that hack does not work. I have 1.2.13 compiled as
ELF (patch available somewhere at ftp://ftp.pcnet.ro/pub/linux/), but
compiling and running that hack, I got nothing but garbage, also
`splitvt' told me domething about an illegal instruction, but I never
didn't get UID==0.
Here is my session
- -----------------------
tty11 nls01!pappy:~/> cc -o sp sp.c
tty11 nls01!pappy:~/> ./sp
bash: [ garbage ]
bash$ ./sp
bash: [ garbage ]
bash$ splitvt
Illegal instruction
bash$ whoami
pappy
bash$ id
uid=1000(pappy) gid=100(nls)
bash$ cat /etc/shadow
cat: /etc/shadow: Permission denied
- ------------------------
NB: The second time when I compiled `sp', there was no garbage...
because of the moon :-)
So, where is the bug? What should I have to do (if any)? Is the `bash'
itself, or splitvt (or the kernel)?
I have no "standard" distribution, I compiled all, as ELF starting with
InfoMagic March 1995 (I used `debian', `slackare' and some GNU related
ftp-s)
Is this dependent on ELF or AOUT? (I run both, no room for compiling
X*): ld.1.7.3, libc-5.0.9, libc-4.6.27 (aout).
Thank you,
>-- pappy
----------------- ------------------------------
| Razvan Stanescu | phone/fax: (+40) 1 6654292 |
----------------- ------------------------------
| email: pappy@nls.pcnet.ro, pappy@pappy.guru.ro |
------------------------------------------------
Win95 is not a virus; a virus does something.
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQBVAgUBMMjvt7HbtxtV5OZJAQGOSQH8Cc+m4Z8WiWlw4D13sdWvIQw0LkH0/Lpu
mirvuo7ef3LgL/nvL+M39lJhOgbMCCQAqRLGIrwGTOz76nMDD+IUTg==
=od+c
-----END PGP SIGNATURE-----
