| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Aug 2007 18:53:18 +0200 From: monikerd <monikerd@...il.com> To: joey.mengele@...hmail.com Cc: sebastian@...fgarten.com, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow Joey Mengele wrote: > Where does security come into play here? This is a local crash in a > non setuid binary. I would like to hear your remote exploitation > scenario. Or perhaps your local privilege escalation scenario? > > J > > I'll play advocate of the devil then. Imagine a wiki running on a webserver, that allows anybody to create new topics which end up in /articles/[Topic].txt with sufficient .htaccess stuff in /articles to twart most usual attacks .. If you could create an arbitrary long topic, then you *might* be able to execute some code, when some cronjob would scan the drive and come across the file? creating files is a different privilege than running code. Hence imho it's not a bogus advisory. another possibility would be to create an archive that extracts an incredibly long filename perhaps? scanning an archive before/after it's extracted is a pretty common event i guess. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists