Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
Jay 'Whip' Grizzard (elfchief@lupine.org)
Tue, 29 Aug 1995 17:03:59 -0700
> >REPEAT BY:
> > We have written an example exploit to overwrite syslog(3)'s
> > internal buffer using SunOS sendmail(8). However due to the
> > severity of this problem, this code will not be made available
> > to anyone at this time. Please note that the exploit was fairly
> > straightforward to put together, therefore expect exploits to be
> > widely available soon after the release of this advisory.
>
> If it's so straightforward, let's have it ! I want to check my linux and
> my ISP's FreeBSD. Bugtraq is FULL DISCLOSURE !! So, please post source/
> scripts now !
Actually, (not to get into a religious war), I would consider what 8lgm
has done to _BE_ full-disclosure. Full disclosure means giving full details
about a hole (which 8lgm DID, in this case, kudos to them!), not necesarilly
giving exploit scripts so that everyone and their brother can start breaking
into systems.
ObBugTraq: You can check to see if you are vurnerable by reading the source
for your C shared library. Look at the code for the syslog() routine,
and see if it has protections to keep from writing off the end of the
static-size buffer it uses to send the message to syslogd. If it doesn't
have a "safety net," it's vurnerable.
-WW