The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


"at" is vulnerable on Solaris 7 and 8


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 12 Jun 2001 10:20:23 +0800
From: Hank Wang <[email protected]>
To: [email protected]
Subject: "at" is vulnerable on Solaris 7 and 8

We found that "at" in Solaris is vulnerable on Solaris 7 and 8
The kind of bug is discussed on Bugtraqid:1634

--<
Generally a program that needs to display a message to the user will obtain
the proper language
specific string from the database using the original message as the search
key and printing the
results using the printf(3) family of functions. By building and installing
a custom messages
database an attacker can control the output of the message retrieval
functions that get feed to the
printf(3) functions.

Bad coding practices and the ability to feed format strings to the later
functions makes it
possible for an attacker to execute arbitrary code as a privileged user
(root) using almost any
SUID program on the vulnerable systems.
>--

When succeeding "at" command, it will return a message:
"commands will be executed using: <shell>\n"
User can create a specified format string to the message for gettext(),
and set the NLSPATH environment variable..

That, user may get the root privilege..
The exploit will release later...

--
Huang-Yu Wang
[email protected]
R&D Team, ISS-TW


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру