lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030810011227.5888.qmail@www.securityfocus.com>
Date: 10 Aug 2003 01:12:27 -0000
From: yan feng <jsk@...nt0m.net>
To: bugtraq@...urityfocus.com
Subject: PST Linux Advisor--------Dsh-0.24.0 in debian has a home env
    Buffer Overflow Vulnerability




                            ========================================
                             Ph4nt0m Security Advisory #2003--8-10
                            ========================================

              Dsh-0.24.0 in debian has a home env Buffer Overflow 
Vulnerability


By "jsk" (akun), in ph4nt0m.net(c) Security.
E-mail: jsk@...nt0m.net 


Advisory Number : pst-2003--8-10-004
name              : dsh
versions          : 0.24.0 possible in 0.24.1
Vendor           : http://fresh.t-systems-sfr.com/linux/src/dsh-
0.24.0.tar.gz
summary           : Local&remote
os(s)            : *nix
 
***************************************************************************
**
Description : the bug should be in  debian os&#65292;Successful exploitation 
could 

result in arbitrary code execution with potentially elevated privileges. 

***************************************************************************
**
&#20855;&#20307;&#28431;&#27934;&#65306;
***************************************************************************
**

dsh.c

main(int ac, char ** av)
{
  char *buf=NULL;
  
  setlocale (LC_ALL, "");
  if (!textdomain(PACKAGE_NAME))
    {
      if (!bindtextdomain(PACKAGE_NAME, LOCALEDIR))
	fprintf (stderr, "%s: failed to call bindtextdomain\n", PACKAGE);
    }
  
  
  
  load_configfile(DSH_CONF);
  if (asprintf (&buf, "%s/.dsh/dsh.conf", getenv("HOME")) < 
0).............lol
    {
      fprintf (stderr, _("%s: asprintf failed\n"), PACKAGE);
      exit (1);
    }  
  load_configfile(buf);
  free (buf);


asprintf&#30340;&#23450;&#20041;&#65306;

nt asprintf(char **strp, const char *fmt, ...)
{
  ssize_t buflen = 50 * strlen(fmt); /* pick a number, any number 
*/.............lol
  *strp = malloc(buflen);

  if (*strp)
  {
    va_list ap;
    va_start(ap, fmt);
    vsnprintf(*strp, buflen, fmt, ap);..................................lol
    va_end(ap);
    return buflen;
  } 
hey:

getenv("HOME") >50*strlen(%s/.dsh/dsh.conf)  ......buf overflow......
***************************************************************************
**********************
By "jsk" (akun), in ph4nt0m.net(c) Security.
E-mail:jsk@...nt0m.net 
ph4nt0m Security Team: http://www.ph4nt0m.net 
My World: http://jsk.ph4nt0m.net
MY GnuPG Public Key: http://202.119.104.82/webeq/app/jsk/jsk.asc 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ