[4159] in bugtraq
Re: Linux NLSPATH buffer overflow
daemon@ATHENA.MIT.EDU (Mihai Sandu)
Thu Mar 13 12:33:58 1997
Date: Thu, 13 Mar 1997 17:25:35 +0200
Reply-To: Mihai Sandu <mike@thai.oxy.pub.ro>
From: Mihai Sandu <mike@THAI.OXY.PUB.RO>
X-To: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <m0vvUb0-0005FcC@lightning.swansea.linux.org.uk>
On Fri, 14 Feb 1997, Alan Cox wrote:
> libc5.4 is immune, RedHat has been shipping the fixed libc5.3.12 for a long
> time, and all the vendors I had security contacts for where told ages ago.
> If they haven't fixed it then Im disappointed with them, they dont have
> an excuse. That libc5.3.12 unpatched also has other fun bugs with buffer
> overruns in libc some in the BSD stuff akin to the BSD bugs in rcmd() etc.
>
> Alan
>
[squid@arbat squid]$ cat /etc/redhat-release
release 4.0 (Colgate)
[squid@arbat squid]$ uname -a
Linux arbat.ase.ro 2.0.18 #3 Fri Mar 7 11:28:49 EET 1997 i586
[squid@arbat squid]$ id
uid=500(squid) gid=500(squid) groups=100(users),500(squid)
[squid@arbat squid]$ ls -la /lib/libc*
lrwxrwxrwx 1 root root 14 Feb 21 14:52 /lib/libc.so.5 -> libc.so.5.3.12
-rwxr-xr-x 1 root root 705995 Sep 2 1996 /lib/libc.so.5.3.12
lrwxrwxrwx 1 root root 22 Feb 21 14:57 /lib/libcom_err.so -> /lib/libcom_err.so.2.0
lrwxrwxrwx 1 root root 17 Feb 21 14:59 /lib/libcom_err.so.2 -> libcom_err.so.2.0
-rwxr-xr-x 1 root root 5819 Sep 1 1996 /lib/libcom_err.so.2.0
Naaaaahhhh! It won't work.... :(
But what a hell let's try!
[squid@arbat squid]$ cc -o suex suex.c
[squid@arbat squid]$ ./suex
bash# id
uid=0(root) gid=500(squid) egid=0(root) groups=100(users),500(squid)
Whooops.. it worked :)
So. It works on RedHat 4.0 Colgate with libc v. 5.3.12
With all my best regards,
Sandu Mihai
