[21912] in bugtraq
Re: top format string bug exploit code (exploitable)
daemon@ATHENA.MIT.EDU (Lupe Christoph)
Thu Jul 26 18:46:49 2001
Date: Thu, 26 Jul 2001 08:42:18 +0200
From: Lupe Christoph <lupe@lupe-christoph.de>
To: SeungHyun Seo <s1980914@inhavision.inha.ac.kr>
Cc: bugtraq@securityfocus.com
Message-ID: <20010726084218.Q6954@alanya.lupe-christoph.de>
Mail-Followup-To: Lupe Christoph <lupe@alanya.lupe-christoph.de>,
SeungHyun Seo <s1980914@inhavision.inha.ac.kr>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200107251024.f6PAOT615354@inhavision.inha.ac.kr>; from s1980914@inhavision.inha.ac.kr on Wed, Jul 25, 2001 at 07:24:29PM +0900
On Wednesday, 2001-07-25 at 19:24:29 +0900, SeungHyun Seo wrote:
> It still seems to be affected under 3.5beta9 (including this version)
> someone said it's not the problem of exploitable vulnerability about 8 month ago ,
> but it's possible to exploit though situation is difficult.
> following code and some procedure comments demonstrate it.
> possible to get kmem priviledge in the XXXXBSD which is still not patched,
> possible to get root priviledge in solaris .
Top does not need to be SUID root in Solaris, either. The default
install uses this mode (clipped from the Makefile generated on
Solaris 8 x86):
MODE = 2711
GROUP = sys
Both /dev/mem and /dev/kmem are
crw-r----- 1 root sys 13, 1 Dec 3 2000 /dev/kmem
crw-r----- 1 root sys 13, 0 Dec 3 2000 /dev/mem
Lupe Christoph
--
| lupe@lupe-christoph.de | http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a |
| Bat-Leth contest on the holodeck. They will not concern us again. |
| http://public.logica.com/~stepneys/joke/klingon.htm |
