lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0208101658590.19883-100000@dent.suse.de>
From: draht at suse.de (Roman Drahtmueller)
Subject: Local Root Exploit

> To: vulnwatch@...nwatch.org, bugtraq@...urityfocus.com,
>      vuln-dev@...urityfocus.com, lance@...eynet.org,
>      full-disclosure@...ts.netsys.com, submissions@...ketstormsecurity.org
> Date: Fri,  9 Aug 2002 15:54:32 -0700
> Subject: [Full-Disclosure] Local Root Exploit
> Reply-To: full-disclosure@...ts.netsys.com
>


This exploit has been published _after_ SuSE Security have published the
packages for the bug on Thursday, August 8, 18:05MEST. I don't want to
claim that gobbles learnt about the bug from the changelogs, but it
definitely looks like.

It is correct that finding format string bugs should be left to the
professionals. This bug has been found by Sebastian Krahmer, SuSE
Security, during an internal code audit. Urgent and adverse matters kept
us from publishing it earlier. It looks like it was early enough.


Please update using the following command:

rpm -Fhv ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/i4l-2002.7.31-0.i386.rpm

ipppd is not installed setuid root any more with this update package.


Besides, I don't think that it is appropriate to carry out a catfight on a
security list.

>  *
>  *     GENERIC FORMATSTRING EXPLOITS ARE SUPER DUPER FUN
>  *
>  * We're surprised that format bugs are allowed in 7350linux, but no one
>  * is perfect.  Finding format bugs is a difficult task, and should be left
>  * to the professionals.  A little known fact -- Paul Vixie invented
>  * insecure programming.  We wanted to get this bug squashed before some
>  * "researcher" from snosoft.com discovered it and tried to make some money
>  * off it.  Help us in our mission to eliminate the existance of format bugs
>  * in code.
>  *
>  * Greets:

[...]


Thanks,
Roman.
-- 
 -                                                                      -
| Roman Drahtm?ller      <draht@...e.de> // "You don't need eyes to see, |
  SuSE Linux AG - Security       Phone: //             you need vision!"
| N?rnberg, Germany     +49-911-740530 //           Maxi Jazz, Faithless |
 -                                                                      -



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ