[2179] in bugtraq
Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Thu Aug 31 13:47:44 1995
Date: Wed, 30 Aug 1995 01:34:13 -0400
Reply-To: perry@piermont.com
From: "Perry E. Metzger" <perry@piermont.com>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: Your message of "Tue, 29 Aug 1995 15:03:13 +0200."
<199508291303.PAA25239@iaehv.IAEhv.nl>
"Rob J. Nauta" writes:
> [8LGM] Security Team dared to write:
> >
> > [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
> >REPEAT BY:
> > We have written an example exploit to overwrite syslog(3)'s
> > internal buffer using SunOS sendmail(8). However due to the
> > severity of this problem, this code will not be made available
> > to anyone at this time. Please note that the exploit was fairly
> > straightforward to put together, therefore expect exploits to be
> > widely available soon after the release of this advisory.
>
> If it's so straightforward, let's have it !
The report gave me more than enough information to figure out
precisely how to do what was stated. It was full disclosure from my
perspective. He told you exactly what your vulnerability is -- if you
can get syslog(3) to fandango on its stack, you can get it to execute
arbitrary code.
I managed to fix the problem without any further information. See my
patch of this morning.
> I want to check my linux and my ISP's FreeBSD. Bugtraq is FULL
> DISCLOSURE !! So, please post source/ scripts now !
I don't see that you need an exploit script to check this. Simply
checking your implementation of syslog(3) is enough. If you can't read
C source code, well, sorry.
Perry
