lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20021129082046.45756.qmail@web13104.mail.yahoo.com>
From: d4yj4y at yahoo.com (Day Jay)
Subject: Bug in "lockdev" on Redhat 8.x

Chung's Donut Shop Release
==========================
www.chungsdonutshop.com

Bug in "lockdev" on Redhat 8.x
-------------------------------
by d4yj4y
d4yj4y@...ngsdonutshop.com

"lockdev" on Redhat 8.x segfaults with a default
switch without any parameters. lockdev is setuid
"lock". If successfully exploited could grant
different id.

Per the documentation:

       The lockdev functions act on device locks
normally located in /var/lock. The  lock  is  acquired
creating a pair of files hardlinked between them and
named after the device name....

Anyway, the program must not be called often by itself
(assumption). It's probably called by other prorams
but anyway, it doesn't even validate it's options
well.

See below:

[root@...rmom]# /usr/sbin/lockdev -l
Segmentation fault
[root@...rmom]# gdb /usr/sbin/lockdev
GNU gdb Red Hat Linux (5.2.1-4)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General
Public License, and you are welcome to change it
and/or distribute copies of it under certain
conditions. Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show
warranty" for details. This GDB was configured as
"i386-redhat-linux"...
(no debugging symbols found)...
(gdb) set args -l
(gdb) run
Starting program: /usr/sbin/lockdev -l
(no debugging symbols found)...(no debugging symbols
found)...
Program received signal SIGSEGV, Segmentation fault.
0x4207a893 in strrchr () from /lib/i686/libc.so.6
(gdb)

I haven't been able to overwrite the eip, and taking a
look at the strrchr() function told me why it would be
hard.

I don't know if this can even be exploited but it's
still a bug.





__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ