From owner-freebsd-security Tue Oct 10 17: 7:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 7F96537B66D for ; Tue, 10 Oct 2000 17:07:35 -0700 (PDT) Received: (qmail 4275 invoked by uid 1000); 11 Oct 2000 00:11:01 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Oct 2000 00:11:01 -0000 Date: Tue, 10 Oct 2000 19:11:01 -0500 (CDT) From: Mike Silbersack To: Steve Reid Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) In-Reply-To: <20001010165908.C9112@grok> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 10 Oct 2000, Steve Reid wrote: > On Tue, Oct 10, 2000 at 07:02:30AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > > For those of you who don't subscribe to BUGTRAQ, here's a heads up. > > I tried it on a 4.1-R box and a 4.1.1-R box, with the same results both > times: > > steve@grok:/home/steve% ./exploit.csh > -rwxr-sr-x 1 steve wheel 622908 Oct 10 16:47 /tmp/csh > > So there is arbitrary code being executed to copy csh to /tmp and set > it setguid, but I am in group wheel already, so no gain (it should be > group kmem). Either systat gives up privs before the Bad Stuff happens, > or the exploit is just a proof-of-concept designed to not work for > script kiddies. Well, the advisory states that ncurses 5.0 and before are vulnerable. It looks like 5.1-prerelease is what 4.1+ are using. So, until we here more from warner/kris, I'm assuming that 4.0/3.x are vulnerable, but 4.1+ is safe. (The exploit didn't work for me either, FWIW.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message