[546] in Best-of-Security
BoS: Cidentd
daemon@ATHENA.MIT.EDU (Jackal)
Mon Jan 19 22:15:43 1998
XDelivering-To: best-of-security@cyber.com.au
Delivering-To: best-of-security@cyber.com.au
Date: Sat, 10 Jan 1998 14:32:44 +0200
Reply-To: Jackal <jackal@HACK.GR>
From: Jackal <jackal@HACK.GR>
Old-X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
Old-X-Originated-From: From: Jackal <jackal@HACK.GR>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
I'm sorry if this already known but i'm new to bugtraq. I've been using
cidentd for quite a long of time and I have never had any problems. But,
while i was looking in the code i found something interesting. The
buffers cident uses for reading from /etc/cident.users and ~/.authlie
are all 1024 bytes long. So i created as a normal user a ~/.authlie with
a single line like this:
user xxxx......xxxxx
(1024 times)
And something not so unexpectable happened... Cidentd would core dump...
I'm not too good with making buffer overflow exploits, but I believe
that xxx could be replaced with some shell code like making a suid shell
in /tmp.
Jackal/XTC
