On Sat, Sep 18, 2004 at 09:57:19PM +0200, Michal Zalewski wrote: > Exposure: > > Remote root compromise through buffer handling flaws FWIW, some (two?) distributions have privsep'ed telnetd by now, where the immediate impact of this flaw (if it were present there) would be code execution as pseudo-user "telnetd" chrooted to /var/empty. (*) This was first implemented by Chris Evans in 2000 and patches posted on the security-audit mailing list. My re-implementation of it in Openwall GNU/*/Linux differs slightly: http://www.openwall.com/presentations/Owl/mgp00017.html http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/telnet/ (*) Of course, while not as bad as immediate root, this level of access would still be quite nasty: it means ability to mount further attacks off the system and ability to attack the system's own kernel via syscall interfaces (possibly ultimately gaining root access, if a suitable kernel bug is present, known to the attacker, and is successfully exploited). -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments
