Re: Exploit

2001-06-09 Thread Tomasz Olszewski 
Hello Debian Users!

>  Do you really think it's an 'exploit'? ;>

Jeez ;)

> int getuid() { return 0; }
> int geteuid() { return 0; }
> int getgid() { return 0; }
> int getegid() { return 0; }

I haven't check if I could do something real. I just ran whoami and
thought that kernel also uses above functions to check my id :) Next
time I'll do some more tests before I'll start to worry ;) Stupid me!

-- 
Tomasz Olszewski | [EMAIL PROTECTED]
"O, święta naiwności !" -- Jan Hus

Re: Exploit

2001-06-09 Thread Tomasz Olszewski 

Hello Debian Users!

>  Do you really think it's an 'exploit'? ;>

Jeez ;)

> int getuid() { return 0; }
> int geteuid() { return 0; }
> int getgid() { return 0; }
> int getegid() { return 0; }

I haven't check if I could do something real. I just ran whoami and
thought that kernel also uses above functions to check my id :) Next
time I'll do some more tests before I'll start to worry ;) Stupid me!

-- 
Tomasz Olszewski | [EMAIL PROTECTED]
"O, święta naiwności !" -- Jan Hus  


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Exploit

2001-06-09 Thread Jason Thomas 
I don't think this is an exploit, but rather something similiar to
fakeroot.


On Sat, Jun 09, 2001 at 02:32:30PM +0200, Tomasz Olszewski wrote:
> Could you please tell me how I can prevent from following exploit:
> http://lcamtuf.coredump.cx/soft/ld-expl
> 
> -- 
> Tomasz Olszewski | [EMAIL PROTECTED]
> "W?a?ciwe jest ludzkiej naturze, nienawidzi? tego, kogo si?
> skrzywdzi?o." -- Tacyt  
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 
Jason Thomas   Phone:  +61 2 6257 7111
System Administrator  -  UID 0 Fax:+61 2 6257 7311
tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81
1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/


pgpEagaj0f6GK.pgp
Description: PGP signature

Re: Exploit

2001-06-09 Thread SDiZ Cheng 
Nothing have to be done. It's just a joke.
Try it, under that "root" shell, create some file then ls -l


- Original Message -
From: "Tomasz Olszewski" <[EMAIL PROTECTED]>
To: 
Subject: Exploit


> Could you please tell me how I can prevent from following exploit:
> http://lcamtuf.coredump.cx/soft/ld-expl
>
> --
> Tomasz Olszewski | [EMAIL PROTECTED]
> "W豉軼iwe jest ludzkiej naturze, nienawidzi?tego, kogo si?
> skrzywdzi這." -- Tacyt
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>
>

Re: Exploit

2001-06-09 Thread Jakub Jankowski 
On 2001-06-09, Tomasz Olszewski wrote:

>Could you please tell me how I can prevent from following exploit:

 Do you really think it's an 'exploit'? ;>

[EMAIL PROTECTED] admin$ cat l33t.sh
#!/bin/sh
echo "1|nux r007 3xp10|7 by 1c4m7uf"
cd /tmp
cat >ex.c <

 s.

-- 
(0>  Jakub Jankowski  [url]: s.atn.pl   "Beauty is skin deep;
//\   [EMAIL PROTECTED]   [uin]: 70171776ugly goes right
V_/_  [EMAIL PROTECTED]  [cell]: 502110186   to the bone."

Exploit

2001-06-09 Thread Tomasz Olszewski 
Could you please tell me how I can prevent from following exploit:
http://lcamtuf.coredump.cx/soft/ld-expl

-- 
Tomasz Olszewski | [EMAIL PROTECTED]
"Właściwe jest ludzkiej naturze, nienawidzić tego, kogo się
skrzywdziło." -- Tacyt

potential buffer overflow in xinetd-2.1.8.9pre11-1 (fwd)

2001-06-09 Thread Miquel Mart?n L?pez 
Hi there!
What do you think of this? is 2.1.8.8 vulnerable? I checked the source code
for my potato xinetd and it doesn't  look like it is...
Any opinions?
Miquel Martín

- Forwarded message from [EMAIL PROTECTED] -

Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
List-Id: 
List-Post: 
List-Help: 
List-Unsubscribe: 
List-Subscribe: 
Date: Sat, 9 Jun 2001 02:10:41 +1200 (NZST)
From: <[EMAIL PROTECTED]>
X-X-Sender:  <[EMAIL PROTECTED]>
To: 
Subject: potential buffer overflow in xinetd-2.1.8.9pre11-1
Resent-To: Administrador del Sistema <[EMAIL PROTECTED]>
Resent-To: Miquel Martín López <[EMAIL PROTECTED]>

***
 Potential remote overflow fixed in patched version of xinetd
***

***
 Problem:   potential buffer overflow in xinetd-2.1.8.9pre11-1
***

***
Fix:  update to xinetd-2.1.8.9pre15-2 (for redhat ppl)
***

Please note:  This does not seem to be exploitable in a default
setup RH 7.0 machine. However There may be other distributions/
configutations that it is used in where it is explotable.


***
   Details of the problem
***

svc_logprint (in xinetd/log.c) has a slight bug which may allow remote
root access.


...
len = strx_nprint( buf, bufsize, "%s: %s ", line_id, SVC_ID( sp
) ) ;
va_start( ap, fmt ) ;
*->cc = strx_nprintv( &buf[ len ], bufsize, fmt, ap ) ;
va_end( ap ) ;
...
(bufsize=sizeof(buf) ==  LOGBUF_SIZE = 1024)

If an argument to the marked line is longer than (bufsize-len) then it
will overflow the string.

The ident feature allows returning 1024 bytes of information, and that
information, less the
source,dest: componant and the \r\n s passed to svc_logprint() as an
argument.
1024,21:USERID:A...AA\r\n
such that the string totals 1024 characters for example.

If a malicious root user was to connect, he could set his own source
port to something like 1,
which would gain him another 3-4 characters.
1,21:USERID:A...A\r\n

The string is then truncated at the \r

(xinetd/ident.c)
...
   svc_logprint( SERVER_CONNSERVICE( serp ), USERID_ENTRY, "%s", p )
;
...

p would then be a string 1010 characters long.
if strlen(line_id)+strlen(SVC_ID( sp ) )>14 then we have a buffer
overflow.

With the ftp service I was only able to get a 1022 byte buffer written
but with other services
with longer names that use authentication, this could be a serious
problem.

The server is still running as root while this happens.


--zen-parse


- End forwarded message -

- End forwarded message -

Re: Linux box vs black box

2001-06-09 Thread Rene Mayrhofer 
Mathias Bocquet wrote:
> This is perhaps off topics, but I'm searching for external opinions
> about firewalls ;
> 
> 1 - a linux box with kernel 2.4.x and netfilter/NAT
Some will probably already know it, but it might help others. If you
want this option without the need for installing a system from scratch,
you might want to take a look at Gibraltar. It's mostly Debian on a
bootable CD-ROM with all the tools you need for firewalling,

http://www.gibraltar.at/

best regards,
Rene

Re: Exploit

2001-06-09 Thread Jason Thomas 

I don't think this is an exploit, but rather something similiar to
fakeroot.


On Sat, Jun 09, 2001 at 02:32:30PM +0200, Tomasz Olszewski wrote:
> Could you please tell me how I can prevent from following exploit:
> http://lcamtuf.coredump.cx/soft/ld-expl
> 
> -- 
> Tomasz Olszewski | [EMAIL PROTECTED]
> "W?a?ciwe jest ludzkiej naturze, nienawidzi? tego, kogo si?
> skrzywdzi?o." -- Tacyt  
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 
Jason Thomas   Phone:  +61 2 6257 7111
System Administrator  -  UID 0 Fax:+61 2 6257 7311
tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81
1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/

 PGP signature

Re: Exploit

2001-06-09 Thread SDiZ Cheng 

Nothing have to be done. It's just a joke.
Try it, under that "root" shell, create some file then ls -l


- Original Message -
From: "Tomasz Olszewski" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Exploit


> Could you please tell me how I can prevent from following exploit:
> http://lcamtuf.coredump.cx/soft/ld-expl
>
> --
> Tomasz Olszewski | [EMAIL PROTECTED]
> "W³a¶ciwe jest ludzkiej naturze, nienawidzi?tego, kogo si?
> skrzywdzi³o." -- Tacyt
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>
>


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Exploit

2001-06-09 Thread Jakub Jankowski 

On 2001-06-09, Tomasz Olszewski wrote:

>Could you please tell me how I can prevent from following exploit:

 Do you really think it's an 'exploit'? ;>

shasta@quasimodo admin$ cat l33t.sh
#!/bin/sh
echo "1|nux r007 3xp10|7 by 1c4m7uf"
cd /tmp
cat >ex.c <

 s.

-- 
(0>  Jakub Jankowski  [url]: s.atn.pl   "Beauty is skin deep;
//\   shasta@IRCnet   [uin]: 70171776ugly goes right
V_/_  [EMAIL PROTECTED]  [cell]: 502110186   to the bone."


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Exploit

2001-06-09 Thread Tomasz Olszewski 

Could you please tell me how I can prevent from following exploit:
http://lcamtuf.coredump.cx/soft/ld-expl

-- 
Tomasz Olszewski | [EMAIL PROTECTED]
"Właściwe jest ludzkiej naturze, nienawidzić tego, kogo się
skrzywdziło." -- Tacyt  


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

potential buffer overflow in xinetd-2.1.8.9pre11-1 (fwd)

2001-06-09 Thread Miquel Mart?n L?pez 

Hi there!
What do you think of this? is 2.1.8.8 vulnerable? I checked the source code
for my potato xinetd and it doesn't  look like it is...
Any opinions?
Miquel Martín

- Forwarded message from [EMAIL PROTECTED] -

Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
List-Id: 
List-Post: 
List-Help: 
List-Unsubscribe: 
List-Subscribe: 
Date: Sat, 9 Jun 2001 02:10:41 +1200 (NZST)
From: <[EMAIL PROTECTED]>
X-X-Sender:  <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: potential buffer overflow in xinetd-2.1.8.9pre11-1
Resent-To: Administrador del Sistema <[EMAIL PROTECTED]>
Resent-To: Miquel Martín López <[EMAIL PROTECTED]>

***
 Potential remote overflow fixed in patched version of xinetd
***

***
 Problem:   potential buffer overflow in xinetd-2.1.8.9pre11-1
***

***
Fix:  update to xinetd-2.1.8.9pre15-2 (for redhat ppl)
***

Please note:  This does not seem to be exploitable in a default
setup RH 7.0 machine. However There may be other distributions/
configutations that it is used in where it is explotable.


***
   Details of the problem
***

svc_logprint (in xinetd/log.c) has a slight bug which may allow remote
root access.


...
len = strx_nprint( buf, bufsize, "%s: %s ", line_id, SVC_ID( sp
) ) ;
va_start( ap, fmt ) ;
*->cc = strx_nprintv( &buf[ len ], bufsize, fmt, ap ) ;
va_end( ap ) ;
...
(bufsize=sizeof(buf) ==  LOGBUF_SIZE = 1024)

If an argument to the marked line is longer than (bufsize-len) then it
will overflow the string.

The ident feature allows returning 1024 bytes of information, and that
information, less the
source,dest: componant and the \r\n s passed to svc_logprint() as an
argument.
1024,21:USERID:A...AA\r\n
such that the string totals 1024 characters for example.

If a malicious root user was to connect, he could set his own source
port to something like 1,
which would gain him another 3-4 characters.
1,21:USERID:A...A\r\n

The string is then truncated at the \r

(xinetd/ident.c)
...
   svc_logprint( SERVER_CONNSERVICE( serp ), USERID_ENTRY, "%s", p )
;
...

p would then be a string 1010 characters long.
if strlen(line_id)+strlen(SVC_ID( sp ) )>14 then we have a buffer
overflow.

With the ftp service I was only able to get a 1022 byte buffer written
but with other services
with longer names that use authentication, this could be a serious
problem.

The server is still running as root while this happens.


--zen-parse


- End forwarded message -

- End forwarded message -


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux box vs black box

2001-06-09 Thread Rene Mayrhofer 

Mathias Bocquet wrote:
> This is perhaps off topics, but I'm searching for external opinions
> about firewalls ;
> 
> 1 - a linux box with kernel 2.4.x and netfilter/NAT
Some will probably already know it, but it might help others. If you
want this option without the need for installing a system from scratch,
you might want to take a look at Gibraltar. It's mostly Debian on a
bootable CD-ROM with all the tools you need for firewalling,

http://www.gibraltar.at/

best regards,
Rene


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]