[emsi@IPARTNERS.PL: glibc/locale sploit for ImmunixOS]
Pawel Krawczyk
kravietz w ceti.pl
Śro, 20 Wrz 2000, 13:27:49 CEST
Przyczynek do dyskusji na temat SG. Istnieja exploity, ktore go obchodza,
ale...
<cytat>
I would like to remind that by using StackGuarded binaries you're still
adding extra security level that can be bypassed ONLY under certain
circumstances!
</cytat>
----- Forwarded message from Mariusz Woloszyn <emsi w IPARTNERS.PL> -----
Approved-By: aleph1 w SECURITYFOCUS.COM
Date: Tue, 19 Sep 2000 23:15:18 +0200
Reply-To: Mariusz Woloszyn <emsi w IPARTNERS.PL>
From: Mariusz Woloszyn <emsi w IPARTNERS.PL>
Subject: glibc/locale sploit for ImmunixOS
To: BUGTRAQ w SECURITYFOCUS.COM
I just developed the first publicly known sploit that bypases StackGuard
protection in real world. I decided to publish it as the patch for glibc
ImmunixOS is out. It's also the proof of concept described about year ago
in our (my and Bulba's) Phrack article published in May this year.
[http://phrack.infonexus.com/search.phtml?view&article=p56-5]
The sploit is as simple as possible, it does not take any arguments and
produces shell with euid==0. All addresses are fixed (stack and env).
The exploiting string overwrites exit() GOT entry and makes it point to
our shellcode (it's sufficient if the stack is executable) just like
we described it in phrack article long time ago :)
The exploit won't work if glibc is patched (ImmunixOS patched glibc can be
found at:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/
glibc-2.1.3-21_StackGuard.i386.rpm
glibc-devel-2.1.3-21_StackGuard.i386.rpm
glibc-profile-2.1.3-21_StackGuard.i386.rpm
nscd-2.1.3-21_StackGuard.i386.rpm).
I would like to remind that by using StackGuarded binaries you're still
adding extra security level that can be bypassed ONLY under certain
circumstances!
Greetings go to all best Polish security specialists!
Regards,
--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners, GTS Poland
----- End forwarded message -----
--
Paweł Krawczyk <http://ceti.pl/~kravietz/>
Więcej informacji o liście dyskusyjnej pld-devel-pl