[21442] in bugtraq
Re: dip 3.3.7p-overflow
daemon@ATHENA.MIT.EDU (teo@gecadsoftware.com)
Tue Jul 10 11:01:07 2001
Date: Tue, 10 Jul 2001 15:04:01 +0300
From: teo@gecadsoftware.com
To: bugtraq@securityfocus.com
Message-ID: <20010710150401.A21253@gecadsoftware.com>
Reply-To: teo@gecadsoftware.com
Mail-Followup-To: teo@gecadsoftware.com, bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <01070920432401.01023@faust>; from hegenbart@aon.at on Mon, Jul 09, 2001 at 08:33:37PM +0200
Hi sebi!
On Mon, 09 Jul 2001, sebi hegi wrote:
> Hi!
> After doing a check on my SuSE linux 7.0 x86 i found something interesting:
>
> hegi@faust:~ > ls -la /usr/sbin/dip
> -rwsr-xr-- 1 root dialout 62056 Jul 29 2000 /usr/sbin/dip
note the rights
>
> DIP: Dialup IP Protocol Driver version 3.3.7p-uri (25 Dec 96)
> Written by Fred N. van Kempen, MicroWalt Corporation.
>
> I considered this as a sort of old version and did some searching and found
> something on insecure.org as well as on securityfocus.com.
>
> Description: Standard overflow (in the -l option processing).
> Author: Goran Gajic <ggajic@AFRODITA.RCUB.BG.AC.YU>
> Compromise: root (local)
> Vulnerable Systems: Slackware Linux 3.4, presumably any other system using dip-3.3.7o or earlier suid root.
> Date: 5 May 1998
>
> Referring to a bugtraq post from may 5. 1998 I did son research:
>
> root@faust:/home/hegi > gdb /usr/sbin/dip
^...... erm, you already have root here
notice that 1st ls showed root.dialout, and the rest of the world has only read.
so if you're not in the dialout group you cannot exec it.
-- teodor
