Date: Wed, 4 Oct 2000 00:59:35 -0400 Subject: Re: /bin/su local libc exploit yielding a root shell To: BUGTRAQ@SECURITYFOCUS.COM I have been able to verify this exploit on stock Red Hat Linux 6.2, and have verified that the rogue message catalog is not read when the errata for glibc at: http://www.redhat.com/support/errata/RHSA-2000-057-04.html is applied. Again - Red Hat, Inc. strongly recommends that all users upgrade to the glibc errata in RHSA-2000-057-04 as it protects you against this and similar exploits. Cheers, Matt msw@redhat.com On Tue, Oct 03, 2000 at 12:25:14PM +0200, Guido Bakker wrote: > /* > Hail to thee dear readers, > > This is yet another /bin/su + buggy locale functions in libc exploit. > The reason for writing it is rather easy to explain, all existing versions > of "su" format bug exploits were very unreliable and tedious to use - the > number of addresses on the stack, and thus the number of %.8x signs to use > varied heavily, as well as the alignment. Return adresses were expected to > be specified on the command line, which is imho an idiotic thing to combine > with all the other options that also are to be 'brute forced'. > Finding these values by hand is a too tedious thing to do and costs the > average script-kid way too much time. I hoped to solve this in this exploit > and have found it to work on many different machines so far by using a > small brute forcing perl wrapper. <code snipped> > | Guido Bakker <guidob@mainnet.nl> > | Network Manager > > MainNet BV, http://www.mainnet.nl > Phone: +31 (0)20 6133505 > Fax: +31 (0)20 6135640