[Prev][Next][Index][Thread]
RE: Linux's lpr exploit (fwd)
----------
From: David Brauman[SMTP:crisk@netvision.net.il]
Sent: יום שני 28 אוקטובר 1996 23:11
To: Meir Litmanovich
Cc: Linux IL
Subject: Re: Linux's lpr exploit (fwd)
On Sun, 27 Oct 1996, Meir Litmanovich wrote:
> #include <stdio.h>
> #include <stdlib.h>
> #include <unistd.h>
>
> #define DEFAULT_OFFSET 50
> #define BUFFER_SIZE 1023
>
> long get_esp(void)
> {
> __asm__("movl %esp,%eax\n");
> }
>
This is more or less the generic Linux buffer overflow code.... I had
this exact same code (using mount instead of lpr) long ago. It seems that
some warez-kiddie took someone's code (I think the original coder is
nicknamed halflife on IRC) and spread it around, taking all the credits
etc. Since this is generic, it should work on all setuid programs.
This will not work on ALL suid programs , this is a buffer overflow , it should be solved at the program level , by checking the arguments length pass to the program in execution
time . I t probebly can be solved at kernel level but it doesnt make it a kernel bug.
Truth is that with linux you can use allmoste any suid program to get root access , not only
by this way .
you can do all kind of things , who ever look's for INSIDE security should not run LINUX .
unless he knows for 100% what he is doing .
I'd like to get the patch, though. (Informational, I don't let anybody
run anything on this machine without me ttysnooping him.)