Re: LinCity Buffer Overflow

Bob Tracy - TDS (rct@MERKIN.CSAP.AF.MIL)
Mon, 16 Mar 1998 13:40:21 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Cyril Jaouich: "Re: SNI-26: Ascend Router Security Issues"
Previous message: bst@INAME.COM: "Re: Lincity Buffer Overflow"
Maybe in reply to: T. Freak: "LinCity Buffer Overflow"
Next in thread: John Goerzen: "Re: LinCity Buffer Overflow"

T. Freak wrote:
>
> While a buffer overflow is blantenly obvious in the code, I don't think it
> is very dangerous. Observe.
>
> (exploit attempt)
> sh-2.01$ id
> uid=1000(tfreak) gid=1000(tfreak)
> groups=1000(tfreak),0(root),4(adm),7(lp),24(cdrom),25(floppy),31(majordom),69(geek)
> sh-2.01$

The version of bash you are running is the key here... 2.01 renounces
setuid/setgid privs when called as "sh", e.g., system() within a program,
unless the "-p" flag is passed. See the "NOTES" file in the root
directory of the bash-2.01.1 distribution for details.

--
Bob Tracy               | "Eagles may soar, but weasels don't get
AFIWC/TIPER             |  sucked into jet engines."
rct@merkin.csap.af.mil  |       --Anon

Next message: Cyril Jaouich: "Re: SNI-26: Ascend Router Security Issues"
Previous message: bst@INAME.COM: "Re: Lincity Buffer Overflow"
Maybe in reply to: T. Freak: "LinCity Buffer Overflow"
Next in thread: John Goerzen: "Re: LinCity Buffer Overflow"