[20177] in bugtraq
HylaFAX vulnerability (fwd)
daemon@ATHENA.MIT.EDU (Marcin Dawcewicz)
Thu Apr 12 15:34:36 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0104121528180.7884-100000@aph.waw.pdi.net>
Date: Thu, 12 Apr 2001 15:30:48 +0200
Reply-To: Marcin Dawcewicz <miv@IIDEA.PL>
From: Marcin Dawcewicz <miv@IIDEA.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In fact /usr/sbin/hfaxd is SUID to root _not_ uucp as I stated in my
previous message. Sorry for this mistake.
--
pozdrawiam,
-= Marcin Dawcewicz =- mailto: miv@gnu.org.pl
"When freedom is outlawed, only outlaws will be free"
---------- Forwarded message ----------
Date: Thu, 12 Apr 2001 03:22:20 +0200 (CEST)
From: Marcin Dawcewicz <miv@iidea.pl>
To: bugtraq@securityfocus.com
Subject: HylaFAX vulnerability
Hi,
I've found classical format bug while I was playing with HylaFAX
server (v4.1 beta2):
$ [ -u /usr/sbin/hfaxd ] && /usr/sbin/hfaxd -q '%n%n' # SUID uucp
Segmentation fault
It crashes while calling syslog() with user supplied fmt. Looks nasty.
Sorry, I have no working exploit, I won't have one and I have no idea if
there are other similar bugs in HylaFAX. I just taught it will be nice to
bring this case to your attention, guys. Maybe someone, who has more time
than I have can do a little more research.
--
greets,
-= Marcin Dawcewicz =- mailto: miv@gnu.org.pl
"When freedom is outlawed, only outlaws will be free"
