Date: Tue, 10 Oct 2000 19:11:01 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Steve Reid <sreid@sea-to-sky.net> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) Message-ID: <Pine.BSF.4.21.0010101908580.4266-100000@achilles.silby.com> In-Reply-To: <20001010165908.C9112@grok>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Oct 2000, Steve Reid wrote: > On Tue, Oct 10, 2000 at 07:02:30AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > > For those of you who don't subscribe to BUGTRAQ, here's a heads up. > > I tried it on a 4.1-R box and a 4.1.1-R box, with the same results both > times: > > steve@grok:/home/steve% ./exploit.csh > -rwxr-sr-x 1 steve wheel 622908 Oct 10 16:47 /tmp/csh > > So there is arbitrary code being executed to copy csh to /tmp and set > it setguid, but I am in group wheel already, so no gain (it should be > group kmem). Either systat gives up privs before the Bad Stuff happens, > or the exploit is just a proof-of-concept designed to not work for > script kiddies. Well, the advisory states that ncurses 5.0 and before are vulnerable. It looks like 5.1-prerelease is what 4.1+ are using. So, until we here more from warner/kris, I'm assuming that 4.0/3.x are vulnerable, but 4.1+ is safe. (The exploit didn't work for me either, FWIW.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0010101908580.4266-100000>