On Mon, 20 Mar 2000, Daniel Jacobowitz wrote:
> Actually, it was exploitable, if you are referring to the
> username-passed-in-format-string bit. In my efforts for
> crack.linuxppc.org (which I have not gotten around to writing up yet,
> but will - there were a few interesting tidbits), I used that for two
> tricks: to gain root access within the chroot and to disable dropping
> of capabilities.
Hmm, correct me if I'm wrong, but in this particular case, we're not
inside chroot() cage nor ntalkd is not using capabilities. In next post,
I've described we don't have enough space to overwrite anything
interesting on stack, at least when we can overwrite it only with small
integer. I'd appreciate if you tell me what I've missed.
_______________________________________________________
Michal Zalewski * [[EMAIL PROTECTED]] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
