[Full-Disclosure] Re: /bin/mail & glibc
From: Mark (mark_at_vulndev.org)
Date: 05/29/03
- Previous message: uk2sec_at_oakey.no-ip.com: "[Full-Disclosure] /bin/mail & glibc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: 29 May 2003 12:39:08 +0100
Sorry I am immensely bored today so actually reading email!
its actually a problem with /bin/mail and how it handles the CC field.
/bin/mail -s Test -c `perl -e 'print "A" 8224'` root@localhost
segfaults and overwrites eip at 8224 characters (segfaults without eip
at 8220)
dont have to be using zsh to create this problem.
there isnt really alot of worry unless /bin/mail was setuid/setgid...
easy to spawn a shell.. I've put a messy perl exploit together
(www.vulndev.org) run it, insert your '.' and <CR> and you should get a
shell.
-- Mark www.vulndev.org 'If ignorant both of the enemy and yourself, you are certain in every battle to be in peril' If you know yourself, knowing the enemy does not matter. -- Sun Tzu - The Art of War (Adapted)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: uk2sec_at_oakey.no-ip.com: "[Full-Disclosure] /bin/mail & glibc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
