If any 'whitehat' hackers here are interested in Buffer/Stack Overflows in FedoraCore Linux, here is an interesting article:

http://neworder.box.sk/newsread.php?newsid=13007

Did anyone tried to "overflow" any Fedora box?
I'm talking for research/educational purposes, not evil. :)

I didn't tried this myself, but I'm interrested if it can be done to spawn a root shell like this on FedoraCore3, 2 or 1 maybe.

This one http://irccrew.org/~cras/security/c-guide.html is also interesting...

---
Pascal Gauthier

I'm trying the example, but things seem a bit different on my x86_64 system; allocation sizes, registers and such. I should have something to add once I try it on my PII test box.

UPDATE: I went through the example on my FC3 test machine (fully updated) and the exploit works--meaning FC3 is just as vulnerable to this exploit as FC2 in the example. So watch your user accounts and carefully monitor any apps that are setuid root. Also, any strange looking symbolic links appearing may well be an indication of bad things to come.

Are you serious ?
Which example did you try ?

Are you serious ?As a heartattack.
Which example did you try ?Search your link (http://neworder.box.sk/newsread.php?newsid=13007) to++++++++++++++++++
Steps to exploit
++++++++++++++++++and follow the example.

I compiled the exploit.c and the vul.c code. Did a chown root:root vul, then a chmod 4755 vul. You'll have to use gdb as in the example because the pointers I got didn't match exactly. Make your symbolic link, again you'll have to rekey using your pointer values. And when I ran vul as a regular user with the overflow argument, bam! There I was with a root shell.

If anyone is really interested, I'll make a tarball of the stuff with a makefile. The only catch is if you use it to cause damage and I go to the pen, when I get out, you'll be very sorry to have ever known me. ;)

Did a chown root:root vul, then a chmod 4755 vul.

I'm sure I am missing something as I did not read the article in detail but since you can't chown a file without being root what's the point? Or can the procedure be used on any file on your system that are already SUID root and the example programs are used in their place just for demonstration?

I have been able to spawn sevral shellls of other uses by manipulating some crappy coded shell programs they have. The oldest and greatest must be useing command sepreators ";" to run commands at there user level to spawn a shell

I'm sure I am missing something as I did not read the article in detail but since you can't chown a file without being root what's the point? Or can the procedure be used on any file on your system that are already SUID root and the example programs are used in their place just for demonstration?The later. The vulnerable program written for the example would be one on your system that is already SUID root that accepts arguments from the command line that doesn't check it's buffers properly. Your friendly neighborhood hacker takes a system like FC3 and looks at the source code to find one, then uses gdb on a precompiled binary to get a normal snapshot of it's pointer indexes. Once that's done, he builds a suitable exploit. Now the example assumes he already has user priv to your system--that may be from a man-in-the-middle ssh attack or more likely a ftp sniff of your account information (something a person having access to an Internet router could easily get). The hacker then logs in to your system as a regular user, runs the exploit and presto changeo, owns your system. If it doesn't work straight away, he can always run gdb on your system and get the actual pointers in use.

Check this thread for the files that would be a target.

So the only way a local user can exploit this is if they know of an SUID program with a buffer overflow vulnerability? If this is the case then I don't see it as being any new revalation. If you have people breaking into your system without being noticed then you already have issues that need to be fixed. If they then have to find a yet to be discovered buffer overflow in a well know SUID program then I don't see this as a huge problem. The way I originally read it there was an existing hole that could easily be exploited on any FC2/3 system without already having root privileges.