Re: SuSe / Debian man package format string vulnerability

Nate Eldredge Mon, 05 Feb 2001 10:19:25 -0800

Jose Nazario writes:
 > On Sun, 4 Feb 2001, Martin Schulze wrote:
 >
 > > Please tell me what you gain from this.  man does not run setuid
 > > root/man but only setgid man.  So all you can exploit this to is a
 > > shell running under your ownl user ide.
 >
 > sucker admins who m4 their sendmail.mc's as root, chiefly if you trick
 > them into processing an untrusted and untrustworthy .mc file.

Umm... rather, if you can sucker them into processing a file named
"524t24y0%(%R&87963%n%n%n%n%n234t/bin/sh25r7u.mc" or something
similar.  The exploit requires a carefully crafted command line
argument.

If you can sucker them into processing an untrustworthy .mc file, they
are in trouble anyway:

#! /usr/bin/m4
syscmd(chmod 04755 /home/hax0r/sh)

--

Nate Eldredge
[EMAIL PROTECTED]

Re: SuSe / Debian man package format string vulnerability

Reply via email to