In fact /usr/sbin/hfaxd is SUID to root _not_ uucp as I stated in my previous message. Sorry for this mistake. -- pozdrawiam, -= Marcin Dawcewicz =- mailto: [EMAIL PROTECTED] "When freedom is outlawed, only outlaws will be free" ---------- Forwarded message ---------- Date: Thu, 12 Apr 2001 03:22:20 +0200 (CEST) From: Marcin Dawcewicz <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: HylaFAX vulnerability Hi, I've found classical format bug while I was playing with HylaFAX server (v4.1 beta2): $ [ -u /usr/sbin/hfaxd ] && /usr/sbin/hfaxd -q '%n%n' # SUID uucp Segmentation fault It crashes while calling syslog() with user supplied fmt. Looks nasty. Sorry, I have no working exploit, I won't have one and I have no idea if there are other similar bugs in HylaFAX. I just taught it will be nice to bring this case to your attention, guys. Maybe someone, who has more time than I have can do a little more research. -- greets, -= Marcin Dawcewicz =- mailto: [EMAIL PROTECTED] "When freedom is outlawed, only outlaws will be free"
