[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: [SECURITY] Seyon is vulnerable to a root exploit
From:       Bruno Morisson <morisson () CRYOGEN ! COM>
Date:       1998-08-31 18:34:32
[Download RAW message or body]

Martin Schulze wrote:

>     Since SGI does not provide exploit information, we are unable to
>     fix the problem.  SGI provided such information only to recognized
>     security response/incident/coordination organizations and bugtraq
>     doesn't seem to be accepted.  SGI doesn't develop patches to third
>     party products, thus there is no chance for a quick fix.

The bug is in a command line argument to seyon. If you do

root:~# seyon -noemulator <very long string (approximately 200 bytes)>

it will overflow. Getting a shell is trivial (although it needs to
regain previleges through a setreuid(0,0) for example, since seyon drops
previleges), but we were unable to find any Linux distribution that
shipped seyon suid root(at least not the latest slackware and redhat5.1,
we had no access to others). It seems that in redhat 5.1 it is sgid
uucp.

We were able to exploit the bug, so in cases where seyon is suid root it
is possible to get a root shell.

Regards,
Bruno Morisson and Marco Vaz

[prev in list] [next in list] [prev in thread] [next in thread]