[15373] in bugtraq
Re: local root on linux 2.2.15
daemon@ATHENA.MIT.EDU (Tollef Fog Heen)
Fri Jun 16 14:28:31 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <87em5y3yjn.fsf@arabella.intern.opera.no>
Date: Fri, 16 Jun 2000 08:55:24 +0200
Reply-To: Tollef Fog Heen <tollef@ADD.NO>
From: Tollef Fog Heen <tollef@ADD.NO>
X-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: der Mouse's message of "Thu, 15 Jun 2000 01:23:53 -0400"
* der Mouse
| Does anyone else find this as ironic as I do? Note the lack of
| checking before using the pointers returned by malloc.
ok, ok, I was lazy. Sorry all. Mea culpa. I just copied code from
one of the exploits.
Fixed code:
#include <stdlib.h>
#include <unistd.h>
#include <linux/capability.h>
#include <string.h>
#include <errno.h>
int main() {
cap_user_header_t header;
cap_user_data_t data;
int retval;
header = malloc(sizeof(cap_user_header_t));
if (header == NULL) {
printf("Out of memory\n");
exit(1);
}
data = malloc(sizeof(cap_user_data_t));
if (data == NULL) {
printf("Out of memory\n");
exit(1);
}
header->pid = 0;
header->version = _LINUX_CAPABILITY_VERSION;
data->inheritable = data->effective = data->permitted = 0;
retval = capset(header, data);
if (retval == -1) {
printf("%s\n",strerror(errno));
exit(1);
}
printf ("Setuid returns: %d\n", setuid(1000));
printf("Strerror returns: %s\n", strerror(errno));
}
--
Tollef Fog Heen
This is the unix version of the LoveBug virus and in the spirit of such it
depends on the user community to propagate. Please send this message to all
of your friends and randomly delete numerous files from your system.
