[8515] in bugtraq
Re: klogd 1.3-22 buffer overflow
daemon@ATHENA.MIT.EDU (Peter van Dijk)
Thu Nov 12 15:11:18 1998
Mail-Followup-To: BUGTRAQ@NETSPACE.ORG
Date: Thu, 12 Nov 1998 01:43:16 +0100
Reply-To: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199811111612.LAA09160@cleon.cc.gatech.edu>; from Neil Bright on
Wed, Nov 11, 1998 at 11:12:09AM -0500
--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
On Wed, Nov 11, 1998 at 11:12:09AM -0500, Neil Bright wrote:
> Michal Zalewski wrote the following:
>=20
> > Good morning,
> >
> > This time - buffer overflow in Linux klogd daemon from sysklogd-1.3
> > package (up to release 22 - affects Red Hat 5.x and Slackware 3.x, no d=
ata
> > about other distributions).
>=20
> [snip]
>=20
> This does appear to affect a (fairly) stock RH5.2 box also. In my test,
> The supplied module code did cause klogd to die...
>=20
> Relevant RPMS:
> sysklogd-1.3-25
> kernel-2.0.36-0.7 (stock, no kernel rebuild)
Same on Slackware 3.4 (kernel updated to 2.0.35).
[root@koek] ~# klogd -v
klogd 1.3-0
But attaching gdb to klogd shows that the character the buffer is filled wi=
th
only appears in eax and even there only in the lowest 8 bits.. Is this still
exploitable?
Greetz, Peter.
--=20
'I guess anybody who walks away from a root shell at : Peter van Di=
jk
a nerd party gets what they deserve!' -- BillSF :peter@attic.vuurwerk.=
nl
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- =
--
finger hardbeat@flits104-161.flits.rug.nl for my public PGP-key
- --- - --- - --- - --- - --- - --- - --- - --- - --- -
--lrZ03NoBR/3+SXJZ
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: 8NmZ8FDRmqWp1fcBFYDRTIjS97N9yD7/
iQA/AwUBNkovImxoDwIx5CYIEQJT3gCbBuT73tjdI4kEs0d+QOT1tyYpQiwAoIdd
6aMqLDlKzBlCH77T9E2x91Ya
=T/rM
-----END PGP SIGNATURE-----
--lrZ03NoBR/3+SXJZ--