Hi!
On Wed, Jun 16, 1999 at 02:27:43AM +0200, Guido Flohr wrote:
> I think the only part of UNIXMODE that gets evaluated by the MiNTLib is
> the "b" resp. the missing "b".
The "rX" part should also be evaluated in crtinit.c somewhere, to set
the current directory to the root dir of drive X.
> BTW (just curiosity), could you tell me what that security problem with
> Linux was?
The contents of the NLS_PATH variable was copied into a fixed length
buffer without respecting this limit, i.e. you could cause a buffer
overflow (overwriting stack contents) by setting NLS_PATH to something
large. By carefully designing the bytes that got onto the stack, you
could cause arbitrary code to get executed, i.e. exec("/bin/sh"). As
this also affected all suid-binaries, it was dead easy to get root
access.
Usually, you find overflow bugs like this in programs, not in system
libraries, and that's why this problem was especially serious, because
there was no easy fix (the buggy code was called on startup, not on
demand). You either had to update libc ASAP, or - if this couldn't be
done quickly enough, - hexedit libc so that NLS_PATH was set to
something different, to prevent kids from exploiting the bug.
Also, statically linked suid-binaries had to be replaced or patched,
too.
Ciao
Thomas
--
Thomas Binder (Gryf @ IRCNet) gryf@hrzpub.tu-darmstadt.de
PGP-key available on request! binder@rbg.informatik.tu-darmstadt.de
Vote against SPAM: http://www.politik-digital.de/spam/
Attachment:
pgpOpz63gTgYh.pgp
Description: PGP signature