[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-Disclosure] Re: /bin/mail & glibc
From:       Mark <mark () vulndev ! org>
Date:       2003-05-29 11:39:08
[Download RAW message or body]

Sorry I am immensely bored today so actually reading email!


its actually a problem with /bin/mail and how it handles the CC field.

/bin/mail -s Test -c `perl -e 'print "A" 8224'` root@localhost

segfaults and overwrites eip at 8224 characters (segfaults without eip
at 8220)


dont have to be using zsh to create this problem.


there isnt really alot of worry unless /bin/mail was setuid/setgid...

easy to spawn a shell.. I've put a messy perl exploit together
(www.vulndev.org) run it, insert your '.' and <CR> and you should get a
shell.

--=20
		         Mark
		   www.vulndev.org
	'If ignorant both of the enemy and yourself,
	you are certain in every battle to be in peril'
   If you know yourself, knowing the enemy does not matter.
		-- Sun Tzu - The Art of War
			(Adapted)

["signature.asc" (application/pgp-signature)]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[prev in list] [next in list] [prev in thread] [next in thread]