Date: Fri, 4 Sep 1998 09:42:35 +0200
From: Marc Heuse <marc@SUSE.DE>
To: BUGTRAQ@netspace.org
Subject: Re: More Overflows...
Hi,
> smbclient version: 1.9.18p3 Overflow occurs after 8505 characters
> compress version: 4.2.4 Overflow at 1100 characters
> elvis version: 2.0 Lots of fun quirks over 1000-100000;
> maybe an exploit symlinking with tmp's
> lha version: 1.02 Overflow at >19211
none of these applications is s[ug]id, so these overflows can not be
exploited to gain privilige.
about the symlink attack on elvis-2.0:
/* unix/osprg.c */
char id_osprg[] = "$Id: osprg.c,v 2.9 1996/05/23 00:03:51 steve Exp $";
#define TMPDIR (o_directory ? tochar8(o_directory) : "/tmp")
static char tempfname[100]; /* name of temp file */
/* create a temporary file for feeding the program's stdin*/
sprintf(tempfname, "%s/elvis%d.tmp", TMPDIR, (int)getpid());
writefd = open(tempfname, O_WRONLY|O_CREAT|O_EXCL, 0600);
if (writefd < 0)
{
msg(MSG_ERROR, "can't make temporary file");
free(command);
return False;
}
it's not vulnerable
>
> There are many more but im too tired to document them, if you have any
> questions, I can be reached at hdmoore@usa.net
if some of them can really be used to gain more priviliges on the machine or
result in a denial-of-service, email them to security@suse.de please
> The major concern i have is non-priveledged users trashing system files
> with suid apps, please check ALL your suid's for overflows...Anyways,
> Thrill Kill rocked and im beat and bloody from the pit, so goodnight.
well, if you find any, drop me a note.
Greets,
Marc
--
Marc Heuse, S.u.S.E. GmbH, Fahrradstr. 56, D-90429 Nuernberg
E@mail: marc@suse.de Function: Security Support & Auditing
Use "finger marc@suse.de | pgp -fka" for my public pgp key
