| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1054208348.8504.357.camel@edtanix> From: mark at vulndev.org (Mark) Subject: Re: /bin/mail & glibc Sorry I am immensely bored today so actually reading email! its actually a problem with /bin/mail and how it handles the CC field. /bin/mail -s Test -c `perl -e 'print "A" 8224'` root@...alhost segfaults and overwrites eip at 8224 characters (segfaults without eip at 8220) dont have to be using zsh to create this problem. there isnt really alot of worry unless /bin/mail was setuid/setgid... easy to spawn a shell.. I've put a messy perl exploit together (www.vulndev.org) run it, insert your '.' and <CR> and you should get a shell. -- Mark www.vulndev.org 'If ignorant both of the enemy and yourself, you are certain in every battle to be in peril' If you know yourself, knowing the enemy does not matter. -- Sun Tzu - The Art of War (Adapted) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030529/f29d7d15/attachment.bin
Powered by blists - more mailing lists