[567] in linux-security and linux-alert archive
Linux: dip security hole
daemon@ATHENA.MIT.EDU (Dan Walters)
Tue Jan 23 13:52:41 1996
Date: Sun, 21 Jan 1996 14:34:22 -0600 (CST)
From: Dan Walters <djw@ccwf.cc.utexas.edu>
To: bugtraq@crimelab.com
cc: linux-alert@tarsier.cv.nrao.edu, linux-security@tarsier.cv.nrao.edu
Reply-To: linux-security@tarsier.cv.nrao.edu
[mod: I've removed the exploit code from this posting so that users can't
exploit the hole too easily. The full posting has been approved to
linux-security (and bugtraq, for that matter). An LSF update is
being prepared. --okir]
PROGRAM: dip 3.3.7n, and probably other variants
AFFECTED SYSTEMS: Linux - Slackware 3.0 and RedHat 2.1 verified,
others unknown.
IMPACT: Local users can get superuser privleges.
SYNOPSIS: Some Linux distributions come with dip setuid
root by default. There are multiple points in
dip where an unbounded buffer is used with user
supplied data making possible a stack overflow.
Functions in which this appears to be possible
include do_chatkey() and mdm_dial().
WORKAROUND: It is suggested that at least until the source
has been further scrutinized that dip not be
setuid unless necessary.
chmod 0755 dip
If you must have dip setuid, place it in a group
where it can only be executed by trusted users.
SAMPLE EXPLOIT:
[removed]
--------------------------------------------------------------------
Dan Walters
djw@mail.utexas.edu
