Autor: Romuald Zylla, Lodz Tech.Univ. Poland (zylla_at_lodz1.p.lodz.pl)
Data: Wed 10 Jul 1996 - 19:44:02 MET DST
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
dip Program Vulnerability
July 9, 1996 17:00 GMT Number G-29
______________________________________________________________________________
PROBLEM: A vulnerability in the dip program makes it possible to
overflow an internal buffer whose value is under the control of
the user of the dip program. The dip program manages the
connections needed for dial-up links such as SLIP and PPP.
PLATFORM: Linux systems for X86 hardware.
DAMAGE: On systems that have dip installed as set-user-id root, anyone
with access to an account on that system can gain root access.
SOLUTION: Disable the present installed version and install the new
version of dip.
______________________________________________________________________________
VULNERABILITY Exploitation scripts for dip have been found running on Linux
ASSESSMENT: systems for X86 hardware. However, exploitation scripts for
other architectures and operating systems have not been found,
but could be easily developed.
______________________________________________________________________________
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
-------- PeCetologia to nauka eksperymentalna --------
To archiwum zostało wygenerowane przez hypermail 2.1.7 : Wed 19 May 2004 - 15:58:24 MET DST