[22853] in bugtraq
Re: hylafax
daemon@ATHENA.MIT.EDU (Lee Howard)
Mon Oct 15 12:33:04 2001
Message-Id: <3.0.6.32.20011014215233.00dbe100@server.deanox.com>
Date: Sun, 14 Oct 2001 21:52:33 -0600
To: "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl>,
<christer.oberg@gmx.net>, <bugtraq@securityfocus.com>
From: Lee Howard <faxguy@deanox.com>
In-Reply-To: <02e401c1541d$a8ef62d0$027eb6d4@clitoris>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
At 09:31 PM 10/13/01 +0200, Przemyslaw Frasunek wrote:
>> There are some format strings vulnerbilities in the lastest hylafax
>package
>> try faxrm -h %x 1 or faxalter -h %x -D 1 for "proof of concept".
>
>an exploit for this one:
>http://www.frasunek.com/sources/security/security/hylafax.pl
As has been pointed out on the hylafax-devel@hylafax.org mailing list, this
exploit is only useful for those installations which have set hfaxd to suid
root. The standard HylaFAX installation does not do this.
[user@hylafaxserver user]$ faxstat -i
HylaFAX version 4.1rc1 built Sat Jun 2 16:55:31 MDT 2001 for i686-pc-linux
HylaFAX scheduler on hylafaxserver.mydomain.com: Running
Modem ttyS1 (+1.435.755.0959): Running and idle
[user@hylafaxserver lee]$ ./hylafax.pl
Not vulnerable
[user@hylafaxserver lee]$
Lee.
