[19007] in bugtraq
Re: SuSe / Debian man package format string vulnerability
daemon@ATHENA.MIT.EDU (Nate Eldredge)
Mon Feb 5 14:39:19 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <14974.18987.333764.510569@mercury.st.hmc.edu>
Date: Sun, 4 Feb 2001 22:37:31 -0800
Reply-To: Nate Eldredge <neldredge@HMC.EDU>
From: Nate Eldredge <neldredge@HMC.EDU>
X-To: Jose Nazario <jose@BIOCSERVER.BIOC.CWRU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.30.0102042328410.23404-100000@biocserver.BIOC.CWRU.Edu>
Jose Nazario writes:
> On Sun, 4 Feb 2001, Martin Schulze wrote:
>
> > Please tell me what you gain from this. man does not run setuid
> > root/man but only setgid man. So all you can exploit this to is a
> > shell running under your ownl user ide.
>
> sucker admins who m4 their sendmail.mc's as root, chiefly if you trick
> them into processing an untrusted and untrustworthy .mc file.
Umm... rather, if you can sucker them into processing a file named
"524t24y0%(%R&87963%n%n%n%n%n234t/bin/sh25r7u.mc" or something
similar. The exploit requires a carefully crafted command line
argument.
If you can sucker them into processing an untrustworthy .mc file, they
are in trouble anyway:
#! /usr/bin/m4
syscmd(chmod 04755 /home/hax0r/sh)
--
Nate Eldredge
neldredge@hmc.edu
