lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <61069.195.128.2.68.1187201447.squirrel@service2.wolfgarten.com>
Date: Wed, 15 Aug 2007 20:10:47 +0200 (CEST)
From: sebastian@...fgarten.com
To: joey.mengele@...hmail.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: McAfee Virus Scan for Linux and Unix v5.10.0
 Local Buffer Overflow

But Joey as I said before, maybe somebody assigned SUID root privileges to
the scanner to enable ordinary users to run the scanner? I know this is
not the case by default but it might happen (and will result in a local
privilege escalation). For instance, in a similar buffer overflow that I
discovered earlier this year in Trend Micro's virus scanner this was the
exact problem...

Best regards,
Sebastian

> You are playing handpuppet of the jackass, actually. Check PATH_MAX
> in the Linux Kernel.
>
> J
>
> On Wed, 15 Aug 2007 12:53:18 -0400 monikerd <monikerd@...il.com>
> wrote:
>>Joey Mengele wrote:
>>> Where does security come into play here? This is a local crash
>>in a
>>> non setuid binary. I would like to hear your remote exploitation
>>
>>> scenario. Or perhaps your local privilege escalation scenario?
>>>
>>> J
>>>
>>>
>>I'll play advocate of the devil then. Imagine a wiki running on a
>>webserver,
>>
>>that allows anybody to create new topics which end up in
>>/articles/[Topic].txt
>>with sufficient .htaccess stuff in /articles to twart most usual
>>attacks ..
>>
>>
>>If you could create an arbitrary long topic, then you *might*
>>be able to execute some code, when some cronjob would scan the
>>drive
>>and come across the file?
>>
>>creating files is a different privilege than  running code. Hence
>>imho
>>it's not a bogus advisory.
>>
>>
>>another possibility would be to create an archive that extracts an
>>incredibly
>>long filename perhaps? scanning an archive before/after it's
>>extracted
>>is a pretty common event i guess.
>
> --
> Truck Rentals - Click Here.
> http://tagline.hushmail.com/fc/Ioyw6h4deMfubiVvi7gHv4s7CdhKJ8kEwJlfzSquIJmjLCuoP1m9Dv/
>
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ