lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFB=mGBoe=Vix2QLE2Qk-GHS0vd2WVXLuUy8MFHp_0+QCQFLdA@mail.gmail.com>
Date: Tue, 13 Dec 2011 18:36:01 +0100
From: "HI-TECH ." <isowarez.isowarez.isowarez@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, Ramon de C Valle <rcvalle@...hat.com>
Subject: Re: Exploiting glibc __tzfile_read integer
 overflow to buffer overflow and vsftpd

Hi,
I read through your blog post with much excitement as it seems you got
your way through
to a stable way to exploit this vulnerability, congrats to that.
Apart from the discussion on how to exploit the heap overrun I just
want to mention that
to exploit this bug in vsftpd you have to break the chroot as done in
the FreeBSD ftpd/proftpd
case, and for this you need to have root privileges. Since vsftpd uses
privilege seperation
one might use a linux local root exploit through the syscall interface
to get root.
so for example one way would be:
1.) upload a customized statically linked local root exploit which
will break chroot and drop the shell as either portbind or connectback
     or any other method
2.) exploit the heap overrun to do an execve to the linux local root
3.) the customized local root binary will first get root privs and
then for example use ptrace to break chroot
     and send the shell back to the attacker.

Now this would be nice to see in a real exploit since I have not seen
such a technique be used anywhere anytime.

Regards,

Kingcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ