On Wed, 9 Jan 2002 [EMAIL PROTECTED] wrote: > Sorry, Steve, I don't quite understand this one. More details > would be appreciated. I understand that lpd is on port 515 > and that its buffer can be overflowed, but I don't see how > that gives the cracker meaningful access to the system. > On Slackware at least, lpd does not have root priviledges
I would imagine overflowing Slackware's lpd buffer wouldn't be as satisfying then. ;-) > and it isn't given a shell. I have trouble seeing how a > cracker could proceed from there. However, I am ready to > learn and would welcome an explanation. I am neither cracker nor programmer, so I can't address the nitty-gritty details. I do know that one doesn't need a shell in order to execute code. If you can make sense of the C used to do such things, there are literally hundreds of "obsolete" exploits on fyodor's pages which I imagine would be enlightening. Since lpd isn't as common as I thought it might be, maybe crontab would be better... Here's the URL of an old vixie crontab exploit (including source): http://www.insecure.org/sploits/vixie.crontab.overflow.html And a description (sans code) of the dillon crontab exploit (used in Slack 3.4): http://www.insecure.org/sploits/dillon.crontab.html - Steve
