[709] in linux-security and linux-alert archive
Re: [linux-security] Bounds checking problem, apparently with libc >5.0.0 <5.3.9
daemon@ATHENA.MIT.EDU (Synthesizer Punk)
Thu May 9 08:26:28 1996
Date: Thu, 9 May 1996 07:22:08 -0400 (EDT)
From: Synthesizer Punk <lharring@tessier.com>
To: lilo <TaRDiS@mail.utexas.edu>
cc: Linux Security List <linux-security@tarsier.cv.nrao.edu>
In-Reply-To: <19960508072311.1742.qmail@Mail.UTexas.EDU>
On Wed, 8 May 1996, lilo wrote:
> This evening I was given an exploit which suggests a serious bounds-checking
> problem in libc >5.0.0 <5.3.9 or so.
>
> [Mod: Quoting trimmed. --Jeff.]
This is an old 'exploit' if you will call it that. I won't provide
specifics, for obvious reasons, but I will say that it uses the client to
client protocol to fake a direct client connection send. I haven't gotten
a chance to really look at it, but I've been testing it on idiots in the
#warez channels (My testing grounds, no one cares what happens to them :P)
and it seems as if it works about 1/5th of the time. Some scripts even
gave me a dirty reply stating (quote) 'Try that backdoor somewhere else
ASSHOLE!'. That one gave me a shock. :) I scanned it over in JED, (8 bit
clean) and I noticed a reference to /bin/sh. If lilo doesn't want to
provide the information, I will. A basic solve would be to ignore all
CTCPs if you find your client is exposed to this:
/ignore * ctcp
synthpunk@irc
The Wasteland IRC Administrator
lharring@tessier.com
http://www.tessier.com/People/synthpunk
