[17036] in bugtraq
Re: /bin/su local libc exploit yielding a root shell
daemon@ATHENA.MIT.EDU (Matt Wilson)
Wed Oct 4 01:58:25 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20001004005935.G9262@devserv.devel.redhat.com>
Date: Wed, 4 Oct 2000 00:59:35 -0400
Reply-To: Matt Wilson <msw@REDHAT.COM>
From: Matt Wilson <msw@REDHAT.COM>
X-To: Guido Bakker <guidob@mainnet.nl>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <00100312251402.00857@guidob>; from guidob@mainnet.nl on Tue,
Oct 03, 2000 at 12:25:14PM +0200
I have been able to verify this exploit on stock Red Hat Linux 6.2,
and have verified that the rogue message catalog is not read when the
errata for glibc at:
http://www.redhat.com/support/errata/RHSA-2000-057-04.html
is applied.
Again - Red Hat, Inc. strongly recommends that all users upgrade to
the glibc errata in RHSA-2000-057-04 as it protects you against this
and similar exploits.
Cheers,
Matt
msw@redhat.com
On Tue, Oct 03, 2000 at 12:25:14PM +0200, Guido Bakker wrote:
> /*
> Hail to thee dear readers,
>
> This is yet another /bin/su + buggy locale functions in libc exploit.
> The reason for writing it is rather easy to explain, all existing versions
> of "su" format bug exploits were very unreliable and tedious to use - the
> number of addresses on the stack, and thus the number of %.8x signs to use
> varied heavily, as well as the alignment. Return adresses were expected to
> be specified on the command line, which is imho an idiotic thing to combine
> with all the other options that also are to be 'brute forced'.
> Finding these values by hand is a too tedious thing to do and costs the
> average script-kid way too much time. I hoped to solve this in this exploit
> and have found it to work on many different machines so far by using a
> small brute forcing perl wrapper.
<code snipped>
> | Guido Bakker <guidob@mainnet.nl>
> | Network Manager
>
> MainNet BV, http://www.mainnet.nl
> Phone: +31 (0)20 6133505
> Fax: +31 (0)20 6135640
