[6321] in bugtraq
Re: LinCity Buffer Overflow
daemon@ATHENA.MIT.EDU (Bob Tracy - TDS)
Tue Mar 17 15:22:07 1998
Date: Mon, 16 Mar 1998 13:40:21 -0600
Reply-To: Bob Tracy - TDS <rct@MERKIN.CSAP.AF.MIL>
From: Bob Tracy - TDS <rct@MERKIN.CSAP.AF.MIL>
X-To: tfreak@JADED.NET
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980316122321.1484A-100000@jaded.net> from "T.
Freak" at "Mar 16, 98 12:34:05 pm"
T. Freak wrote:
>
> While a buffer overflow is blantenly obvious in the code, I don't think it
> is very dangerous. Observe.
>
> (exploit attempt)
> sh-2.01$ id
> uid=1000(tfreak) gid=1000(tfreak)
> groups=1000(tfreak),0(root),4(adm),7(lp),24(cdrom),25(floppy),31(majordom),69(geek)
> sh-2.01$
The version of bash you are running is the key here... 2.01 renounces
setuid/setgid privs when called as "sh", e.g., system() within a program,
unless the "-p" flag is passed. See the "NOTES" file in the root
directory of the bash-2.01.1 distribution for details.
--
Bob Tracy | "Eagles may soar, but weasels don't get
AFIWC/TIPER | sucked into jet engines."
rct@merkin.csap.af.mil | --Anon
