[14382] in bugtraq
Re: a few bugs ...
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Wed Mar 22 03:24:46 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0003210845260.16830-100000@dione.ids.pl>
Date: Tue, 21 Mar 2000 08:49:04 +0100
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: Daniel Jacobowitz <drow@FALSE.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000320210007.A5220@drow.res.cmu.edu>
On Mon, 20 Mar 2000, Daniel Jacobowitz wrote:
> Actually, it was exploitable, if you are referring to the
> username-passed-in-format-string bit. In my efforts for
> crack.linuxppc.org (which I have not gotten around to writing up yet,
> but will - there were a few interesting tidbits), I used that for two
> tricks: to gain root access within the chroot and to disable dropping
> of capabilities.
Hmm, correct me if I'm wrong, but in this particular case, we're not
inside chroot() cage nor ntalkd is not using capabilities. In next post,
I've described we don't have enough space to overwrite anything
interesting on stack, at least when we can overwrite it only with small
integer. I'd appreciate if you tell me what I've missed.
_______________________________________________________
Michal Zalewski * [lcamtuf@ags.pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
