Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_2

Bugtraq archives for 2nd quarter (Apr-Jun) 1998: Re: HP-UX finger possible security hole

Re: HP-UX finger possible security hole

Walter Misar (misarRBG.INFORMATIK.TU-DARMSTADT.DE)
Wed, 27 May 1998 08:45:22 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Michael K. Johnson: "SECURITY: Red Hat Linux 5.1 linuxconf bug"
Previous message: Chris Evans: "ALERT: Tiresome security hole in "xosview", RedHat5.1?"
Maybe in reply to: dauphin Robert: "HP-UX finger possible security hole"
Next in thread: Nicholas Rutterford: "Re: HP-UX finger possible security hole"

> while i was playing with the finger command, i got a coredump when
> i submit
>
> finger aaaa ( 200 random caracters )
>
> i wonder if this is a possible security hole because the finger
> command is owned by bin group.

The situation is far worse, if fingerd is run (which invokes finger).

> my HP-UX is A.09.05 A 9000/73
>
> sorry if this is an old bug i didn t had the time to check the archive
> and forgive me for my broken english :)

When I first noticed this some years ago, I didn't find anything about it
in any archives. But the hole should prove hard to exploit anyway - at least
for the m68k hpux version, the overflow was in the malloc() area - it cores
after a second call to malloc(). So standard techniques won't apply, but
it should be possible to direct the write to the second malloced() area to
any memory location.

        Walter

Next message: Michael K. Johnson: "SECURITY: Red Hat Linux 5.1 linuxconf bug"
Previous message: Chris Evans: "ALERT: Tiresome security hole in "xosview", RedHat5.1?"
Maybe in reply to: dauphin Robert: "HP-UX finger possible security hole"
Next in thread: Nicholas Rutterford: "Re: HP-UX finger possible security hole"