[prev in list] [next in list] [prev in thread] [next in thread]
List: vulnwatch
Subject: [VulnWatch] blackshell3: multiple pwck/grpck vulnerabilities
From: blackshell () hushmail ! com
Date: 2002-01-02 9:25:51
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
#####################################################
#--blackshell security advisory no3--# #
#--IRIX grpck/pwck LOCAL exploit--# #
#--Linux grpck/pwck LOCAL exploit--# #
#####################################################
########################
vendor details & history
########################
www.sgi.com
www.redhat.com
this is not OS specific
no history for this specific app
##################
details of exploit
##################
it seems as if this effects every single OS that uses
the *ck family for password authentication.
this is a classic buffer overflow of the binaries which
are located in the /usr/sbin/* dir.
they are both in the same family of applications
and both are susiptible to this which is just a
bad strcpy() call which copies the first arg passed
onto another string resulting in a sigsegv.
advanced details:
IRIX:
# /usr/sbin/pwck `perl -e 'print "X"x3000'`
Segmentation Fault
#
# /usr/sbin/grpck `perl -e 'print "X"x3000'`
Segmentation Fault
#
Linux (redhat):
# /usr/sbin/pwck `perl -e 'print "X"x3000'`
Segmentation Fault (core dumped)
#
# /usr/sbin/grpck `perl -e 'print "X"x3000'`
Segmentation Fault (core dumped)
#
we found one box had this suid as default on the irix test box
and we were told it comes as suid on redhat 6.* < prior.
###
fix
###
strcpy should be replaced with the bounds checking
strncpy().
####
note
####
this test was conducted on IRIX 6.5 box, and a redhat 7.2 box.
under no circumstances are we liable for any misuse of this
information
########
hi's to:
########
cr_, Markus@obsd blackshell dev team, #!blackshell
contributors and anyone who over the years has helped
us make us what we are.
#######
contact
#######
blackshell@hushmail.com
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wl8EARECAB8FAjwy1LMYHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut
DLMAoIKMheJtbAKVXZEqb6LNMtMUvrBxAKCJY4uqYi6DxXfit8SrtFnkZI1Kow==
=3RvC
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic