Hi, A friend of mine just tried this against my unstable box and successfully obtained the contents of /etc/shadow.
I imagine that this is a problem in libc -- I'll leave it to [EMAIL PROTECTED] to file bug reports. cheers, Thomas -- who's watching your watchmen? gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d 2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43 ---------- Forwarded message ---------- From: Techno Bob <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Sat, 6 Jan 2001 17:23:35 -0500 Subject: Re: traceroute-4.4BSD (slack) heap overflow ------Original Message------ Yep, I know, that's exactly why I posted it here, because I found no proper way to exploit it, even by modifying /etc/hosts :) Btw, isn't there any environment variable that allows you to specify the hosts file being used? ------------------------------- Yep, try this: $ export RESOLV_HOST_CONF= any file you want And this can be done by user-level because this used to be a way to view /etc/shadow. Combine this with the exploit method I suggested earlier and you've got a pretty plausable exploitation method. Thanx TBob "Veni Vermini Vomui" ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup