Re: su core dumped with signal 3. BSD/OS 3.0, 3.1

From: Joel Eriksson (je-vulndev@bitnux.com)
Date: 03/13/03

  • Next message: Kurt Seifried: "Re: Outlook HTML crash" 
    Date: Thu, 13 Mar 2003 18:52:11 +0100
From: Joel Eriksson <je-vulndev@bitnux.com>
To: Marco Ivaldi <raptor@0xdeadbeef.info>

    On Wed, Mar 12, 2003 at 09:26:22PM +0100, Marco Ivaldi wrote:
    > > As to exploiting, no, I don't think you can exploit this: the core here
    > > is a result of the kernel processing a signal sent to the process, not
    > > of some overflow or invalid memory access or similar.
    >
    > Just wondering. What happens if you create a symlink to .rhosts and manage
    > to write a "+ +" in memory before coredump (i've not checked if it's
    > possible in this particular situation)? Or maybe symlinking /etc/passwd
    > and causing a DoS condition? This is just an example, but i'm not so sure
    > it's not possible to exploit this behaviour of a setuid program...
    >
    > Please correct me if i'm plain wrong:)

    This used to work a few years ago anyway. I would think recent versions
    of Unix-OS:s have fixed that rather trivial flaw, but it's worth trying.

    > :raptor
    > Antifork Research, Inc. 0xdeadbeef | raptor's labs
    > http://www.antifork.org http://www.0xdeadbeef.info 

    -- 
Joel Eriksson
-------------------------------------------------
Security Research & Systems Development at Bitnux
PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1
A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1
-------------------------------------------------
  • Next message: Kurt Seifried: "Re: Outlook HTML crash"