Buffer overflow in the cidentd authlie file

Summary
Description:typical overflow
Author:Jackal <jackal@HACK.GR>
Compromise:run arbitrary code as the UID running cidentd (probably user nobody) (local)
Vulnerable Systems:Those running cidentd with ~/.authlie enabled
Date:10 January 1998
Details


Date: Sat, 10 Jan 1998 14:32:44 +0200
From: Jackal <jackal@HACK.GR>
To: BUGTRAQ@NETSPACE.ORG
Subject: Cidentd

I'm sorry if this already known but i'm new to bugtraq. I've been using
cidentd for quite a long of time and I have never had any problems. But,
while i was looking in the code i found something interesting. The
buffers cident uses for reading from /etc/cident.users and ~/.authlie
are all 1024 bytes long. So i created as a normal user a ~/.authlie with
a single line like this:
user    xxxx......xxxxx
         (1024 times)
And something not so unexpectable happened... Cidentd would core dump...
I'm not too good with making buffer overflow exploits, but I believe
that xxx could be replaced with some shell code like making a suid shell
in /tmp.

Jackal/XTC

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault