[7831] in bugtraq
Re: [SECURITY] Seyon is vulnerable to a root exploit
daemon@ATHENA.MIT.EDU (Bruno Morisson)
Mon Aug 31 18:51:53 1998
Date: Mon, 31 Aug 1998 19:34:32 +0100
Reply-To: Bruno Morisson <morisson@CRYOGEN.COM>
From: Bruno Morisson <morisson@CRYOGEN.COM>
To: BUGTRAQ@NETSPACE.ORG
Martin Schulze wrote:
> Since SGI does not provide exploit information, we are unable to
> fix the problem. SGI provided such information only to recognized
> security response/incident/coordination organizations and bugtraq
> doesn't seem to be accepted. SGI doesn't develop patches to third
> party products, thus there is no chance for a quick fix.
The bug is in a command line argument to seyon. If you do
root:~# seyon -noemulator <very long string (approximately 200 bytes)>
it will overflow. Getting a shell is trivial (although it needs to
regain previleges through a setreuid(0,0) for example, since seyon drops
previleges), but we were unable to find any Linux distribution that
shipped seyon suid root(at least not the latest slackware and redhat5.1,
we had no access to others). It seems that in redhat 5.1 it is sgid
uucp.
We were able to exploit the bug, so in cases where seyon is suid root it
is possible to get a root shell.
Regards,
Bruno Morisson and Marco Vaz
