On Thu, Nov 08, 2007 at 02:27:14PM -0800, Gregg Berkholtz wrote:
> If a user has limited sudo privileges, for example, only the ability to
> execute sethdlc, couldn't they exploit this vulnerability to execute
> arbitrary code as root?
The problem is lack of proper sanitation of the parameter -i (interface
name) for both sethdlc and sethdlc-new . Thus in order to exploit this
bug, one needs to be able to pass an interface name that is long enough
to that parameter.
If you allow the user to execute the script ifup-hdlc from zaptel, this
shouldn't be a problem. I figure you should fix it fix
s/sethdlc/sethdlc-new/ .
Some further clarifications;
1. sethdlc-new
Zaptel contains both sethdlc.c and sethdlc-new.c . Both had the same
problem and were fixed. sethdlc only works with really old systems
(kernels < 2.4.22, IIRC). All others should use sethdlc-new .
2. Kernel/userspace
Unlike information published by some "security company" (and
aparantly later retracted), this is not a buffer overflow in kernel
code. sethdlc.c is not a Zaptel driver.
--
Tzafrir Cohen
icq#16849755 jabber:[EMAIL PROTECTED]
+972-50-7952406 mailto:[EMAIL PROTECTED]
http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-security mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-security
