But Joey as I said before, maybe somebody assigned SUID root privileges to the scanner to enable ordinary users to run the scanner? I know this is not the case by default but it might happen (and will result in a local privilege escalation). For instance, in a similar buffer overflow that I discovered earlier this year in Trend Micro's virus scanner this was the exact problem...
Best regards, Sebastian > You are playing handpuppet of the jackass, actually. Check PATH_MAX > in the Linux Kernel. > > J > > On Wed, 15 Aug 2007 12:53:18 -0400 monikerd <[EMAIL PROTECTED]> > wrote: >>Joey Mengele wrote: >>> Where does security come into play here? This is a local crash >>in a >>> non setuid binary. I would like to hear your remote exploitation >> >>> scenario. Or perhaps your local privilege escalation scenario? >>> >>> J >>> >>> >>I'll play advocate of the devil then. Imagine a wiki running on a >>webserver, >> >>that allows anybody to create new topics which end up in >>/articles/[Topic].txt >>with sufficient .htaccess stuff in /articles to twart most usual >>attacks .. >> >> >>If you could create an arbitrary long topic, then you *might* >>be able to execute some code, when some cronjob would scan the >>drive >>and come across the file? >> >>creating files is a different privilege than running code. Hence >>imho >>it's not a bogus advisory. >> >> >>another possibility would be to create an archive that extracts an >>incredibly >>long filename perhaps? scanning an archive before/after it's >>extracted >>is a pretty common event i guess. > > -- > Truck Rentals - Click Here. > http://tagline.hushmail.com/fc/Ioyw6h4deMfubiVvi7gHv4s7CdhKJ8kEwJlfzSquIJmjLCuoP1m9Dv/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
