Buffer overflow in the cidentd authlie file

Summary

Description:	typical overflow
Author:	Jackal <jackal@HACK.GR>
Compromise:	run arbitrary code as the UID running cidentd (probably user nobody) (local)
Vulnerable Systems:	Those running cidentd with ~/.authlie enabled
Date:	10 January 1998

Details


Date: Sat, 10 Jan 1998 14:32:44 +0200
From: Jackal <jackal@HACK.GR>
To: BUGTRAQ@NETSPACE.ORG
Subject: Cidentd

I'm sorry if this already known but i'm new to bugtraq. I've been using
cidentd for quite a long of time and I have never had any problems. But,
while i was looking in the code i found something interesting. The
buffers cident uses for reading from /etc/cident.users and ~/.authlie
are all 1024 bytes long. So i created as a normal user a ~/.authlie with
a single line like this:
user    xxxx......xxxxx
         (1024 times)
And something not so unexpectable happened... Cidentd would core dump...
I'm not too good with making buffer overflow exploits, but I believe
that xxx could be replaced with some shell code like making a suid shell
in /tmp.

Jackal/XTC

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: