[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: HTML Help API - Privilege Escalation

To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Re: HTML Help API - Privilege Escalation
From: Sebastian Niehaus <killedbythoughts@mindcrime.net>
Date: 24 Oct 2003 20:08:24 +0200

KF <dotslash@snosoft.com> writes:

[...]

> I would relate this
> type of attack to a setuid program calling system("clear") while
> running as root on a unix machine. This does not mean that system() is
> flawed rather that when implementing this call you need to be more
> careful and drop your privs. 

Well, if you have a programm to be run in suid mode, every Unix admin
should be alerted. They are used to review the source code of this
kind of stuff.

You won't be able to do this with your average windows junk...

Just a thought...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Re: HTML Help API - Privilege Escalation
  - From: KF <dotslash@snosoft.com>
- Re: [Full-Disclosure] Re: HTML Help API - Privilege Escalation
  - From: Valdis.Kletnieks@vt.edu

References:
- [Full-Disclosure] HTML Help API - Privilege Escalation
  - From: "Brett Moore" <brett.moore@security-assessment.com>
- Re: [Full-Disclosure] HTML Help API - Privilege Escalation
  - From: KF <dotslash@snosoft.com>

Prev by Date: [Full-Disclosure] Re: [inbox] Re: RE: Linux (in)security
Next by Date: [Full-Disclosure] (no subject)
Previous by thread: Re: [Full-Disclosure] HTML Help API - Privilege Escalation
Next by thread: Re: [Full-Disclosure] Re: HTML Help API - Privilege Escalation
Index(es):
- Date
- Thread