| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 01 May 2011 08:33:33 -0300 From: root <root_@...ertel.com.ar> To: full-disclosure@...ts.grok.org.uk Subject: Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient However I have to say that Mr. Neo here may have an actually exploitable bug if the overflow code can be also reached with a remote codepath. On 04/29/2011 12:43 AM, Mario Vilas wrote: > Precisely. The poc triggers the bug by passing a very long command line > argument, so it's assumed the attacker already has executed code. The only > way this is exploitable is if the binary has suid (then the attacker can > elevate privileges) or the command can be executed remotely (and the > attacker additionaly cannot execute any other commands, but can mysteriously > control the arguments). Unless either scenario is researched (and nothing in > the advisory tells me so) I call bullshit. > > On Thu, Apr 28, 2011 at 6:09 PM, <Valdis.Kletnieks@...edu> wrote: > >> On Thu, 28 Apr 2011 14:40:22 -0300, Mario Vilas said: >> >>> Is the suid bit set on that binary? Otherwise, unless I'm missing >> something >>> it doesn't seem to be exploitable by an attacker... >> >> Who cares? You got code executed on the remote box, that's the *hard* >> part. >> Use that to inject a callback shell or something, use *that* to get >> yourself a shell >> prompt. At that point, download something else that exploits you to root - >> if >> you even *need* to, as quite often the Good Stuff is readable by non-root >> users. >> > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists