Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient

[root <root_@xxxxxxxxxxxxxxx>]

However I have to say that Mr. Neo here may have an actually exploitable
bug if the overflow code can be also reached with a remote codepath.


On 04/29/2011 12:43 AM, Mario Vilas wrote:
> Precisely. The poc triggers the bug by passing a very long command line
> argument, so it's assumed the attacker already has executed code. The only
> way this is exploitable is if the binary has suid (then the attacker can
> elevate privileges) or the command can be executed remotely (and the
> attacker additionaly cannot execute any other commands, but can mysteriously
> control the arguments). Unless either scenario is researched (and nothing in
> the advisory tells me so) I call bullshit.
> 
> On Thu, Apr 28, 2011 at 6:09 PM, <Valdis.Kletnieks@xxxxxx> wrote:
> 
>> On Thu, 28 Apr 2011 14:40:22 -0300, Mario Vilas said:
>>
>>> Is the suid bit set on that binary? Otherwise, unless I'm missing
>> something
>>> it doesn't seem to be exploitable by an attacker...
>>
>> Who cares?  You got code executed on the remote box, that's the *hard*
>> part.
>> Use that to inject a callback shell or something, use *that* to get
>> yourself a shell
>> prompt.  At that point, download something else that exploits you to root -
>> if
>> you even *need* to, as quite often the Good Stuff is readable by non-root
>> users.
>>
> 
> 
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/