BugTraq
Back to list
|
Post reply
Re: Calife heap corrupt / potential local root exploit
Feb 27 2004 04:49PM
Ollivier Robert (roberto keltia freenix fr)
(1 replies)
In-Reply-To: <20040227091921.26210.qmail (at) www.securityfocus (dot) com [email concealed]>
>Calife heap corrupt / potential local root exploit
>--------------------------------------------------
>by Leon Juranic a.k.a DownBload <downbload (at) hotmail (dot) com [email concealed]> / II-Labs
>
>
>Version affected(tested): calife-2.8.4c and calife-2.8.5
>- calife can be found at packages.debian.org, FreeBSD 5.0 (security), ...
Thanks you for taking the time to contact me before sending such a mail to Bugtraq. It is always nice to deal with such nice people [NOT!]
>[downbload@localhost downbload]$ calife luser
>Password: "A" x 3000
>Password: real_user_password
>Segmentation fault
>[downbload@localhost downbload]$
Interesting, on which plateform? I just tried that on FreeBSD 4.9, 5.2 and could not reproduce.
On Linux/Debian, it does segfault. glibc problem?
>- "A" x 3000 will corrupt the heap.
>- If real_user_password isn't correct, calife will do exit()
>- If attacker wants to exploit calife, there must be at least one user "available" in /etc/calife.auth
Do you have such an exploit? I'd like to see it.
> pt_pass = (char *) getpass ("Password:");
> memset (user_pass, '\0', l_size);
> strcpy (user_pass, pt_pass); // <- BAD CODE
I could have used strlcpy but I assumed (and my reading of the FreeBSD source code confirm it) that getpass(3) was doing the size check.
In FreeBSD, it seems not possible to overflow that as the code verify the length.
I'll release 2.8.6 today.
Courtesy seems to go down the gutters these days apparently.
Ollivier, pissed off.
[ reply ]
Re: Calife heap corrupt / potential local root exploit
Feb 27 2004 08:08PM
Carson Gaspar carson+bugtraq (at) taltos (dot) org [email concealed] (carson+bugtraq taltos org)
(1 replies)
Re: Calife heap corrupt / potential local root exploit
Feb 27 2004 08:18PM
Ollivier Robert (roberto keltia freenix fr)
Privacy Statement
Copyright 2010, SecurityFocus
>Calife heap corrupt / potential local root exploit
>--------------------------------------------------
>by Leon Juranic a.k.a DownBload <downbload (at) hotmail (dot) com [email concealed]> / II-Labs
>
>
>Version affected(tested): calife-2.8.4c and calife-2.8.5
>- calife can be found at packages.debian.org, FreeBSD 5.0 (security), ...
Thanks you for taking the time to contact me before sending such a mail to Bugtraq. It is always nice to deal with such nice people [NOT!]
>[downbload@localhost downbload]$ calife luser
>Password: "A" x 3000
>Password: real_user_password
>Segmentation fault
>[downbload@localhost downbload]$
Interesting, on which plateform? I just tried that on FreeBSD 4.9, 5.2 and could not reproduce.
On Linux/Debian, it does segfault. glibc problem?
>- "A" x 3000 will corrupt the heap.
>- If real_user_password isn't correct, calife will do exit()
>- If attacker wants to exploit calife, there must be at least one user "available" in /etc/calife.auth
Do you have such an exploit? I'd like to see it.
> pt_pass = (char *) getpass ("Password:");
> memset (user_pass, '\0', l_size);
> strcpy (user_pass, pt_pass); // <- BAD CODE
I could have used strlcpy but I assumed (and my reading of the FreeBSD source code confirm it) that getpass(3) was doing the size check.
In FreeBSD, it seems not possible to overflow that as the code verify the length.
I'll release 2.8.6 today.
Courtesy seems to go down the gutters these days apparently.
Ollivier, pissed off.
[ reply ]