On Thu, Apr 29, 2004 at 02:20:31PM -0700, Rob Hudson wrote: > How does this work?
Short answer is they utilize a bug, like a buffer overflow in a program setuid. The setuid prog, say '/bin/ping' runs as root to access the network socket. Let's say ping has an option --BD. When it is fed input from the user it does some stuff on it, like prints extra fields. Perhaps there is a bug in the code that processes the user input to --BD, and under the right circumstances, might actually execute that code: ping google.com --BD="%Y%D%m-%T\0x33\0x34\0x66\0x88\0x224\0x221" --BD was only expecting a few date strings, like %Y %D. Since I gave it something it didn't expect, it 'exploited' the bug. Perhaps it did so that it ran my extra input as an executable. Perhaps my extra input was some code that told it to run /bin/bash. That would give me a root shell. Another method would be to have the input code change my uid to 0. After the program finished, I'd be root. Cory -- Cory Petkovsek Adapting Information Adaptable IT Consulting Technology to Your (858) 705-1655 Business [EMAIL PROTECTED] www.AdaptableIT.com _______________________________________________ EUGLUG mailing list [EMAIL PROTECTED] http://www.euglug.org/mailman/listinfo/euglug
