[20020] in bugtraq
Re: .. ptrace improvement
daemon@ATHENA.MIT.EDU (helmut katzgraber)
Wed Apr 4 06:18:30 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.30.0104031714310.12350-100000@debussy.ucsc.edu>
Date: Tue, 3 Apr 2001 17:18:23 -0700
Reply-To: helmut katzgraber <dummkopf@PHYSICS.UCSC.EDU>
From: helmut katzgraber <dummkopf@PHYSICS.UCSC.EDU>
X-To: Viraj Alankar <valankar@IFXCORP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.30.0104021056400.23600-100000@localhost.localdomain>
worked for me on rh 6.2 running the "new" 2.2.17-14 kernel
as well as 2.2.16-3. when will redhat (and other linux
vendors) release a new kernel package to fix this problem?
[dk ~]$ uname -a
Linux dk 2.2.17-14 #1 Mon Feb 5 18:48:50 EST 2001 i686 unknown
[dk ~]$ gcc epcs2.c
[dk ~]$ ./a.out /usr/bin/gpasswd
bug exploited successfully.
enjoy!
bash# whoami
root
bash#
cheers, h.
Viraj Alankar (2001-04-02 11:03 -0400) wrote:
# On Sat, 31 Mar 2001, Tim Yardley wrote:
#
# > As always, there are always ways to improve things. This version of the
# > exploit posted here previously overwrites the dl _start routine and doesnt
# > modify eip. This will help on stack non-exec systems and doesnt require
# > you to calculate the bss offset. I didn't test it, but this should still
# > work on a stackguard compiled program as well.
#
# This works on my RH 6.2 w/ 2.2.16-3. I see that Redhat released a 2.2.17
# RPM on 2/8/2001 with 'ptrace' as one of the keywords. Does anyone know if
# this RPM addresses the problem?
#
# Viraj.
#
_________________________________________________________
Helmut G. Katzgraber dummkopf@physics.ucsc.edu
Physics Department, Kerr Hall http://debussy.ucsc.edu/
University of California Phone: (+1) 831-459-4762
Santa Cruz, CA 95064, USA Fax: (+1) 831-459-3043
