|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Possible vulnerability in HPUX
From: Quentin GIORGI (qgiorgi
SANCERRE.GRENOBLE.HP.COM)Date: Wed Aug 09 2000 - 02:31:00 CDT
- Next message: Peter J . Holzer: "Re: Identifying SUN Solaris Machines using ICMP Address Mask Requests with a little twist"
- Previous message: Nicolas Rachinsky: "Re: Escalation of privileges"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
Few days ago i read the mail [ Hackerslab bug_paper ] HP-UX bdf -t
option buffer overflow vul. And decided to see any other possible
vulnerability(ies) on my ststem. (HP-UX 10.20).
After a *few* minutes ( maybe a little more :) ),trying each setuid exe
with different options, i finally got results as for bdf:
My basic knowledge tells me that it could be exploitable, but as i am
not a PA RISC assembly expert, i let anyone decide.
I have a quick query on the database vulnerability and can't see
anything about this on HPUX, but...
df:
--- sancerre: /home/qgiorgi>ll `which df` -r-sr-xr-x 1 root bin 69632 Jun 10 1996 /usr/bin/dfsancerre: /home/qgiorgi>df -F `perl -e "print 't'x3631"` df: ttt <skip> ttt : No such file or directory usage : df [-F FStype] [-V] [-egiklnvfb] [-t|-P] [-o specific_options] [special | directory ...] sancerre: /home/qgiorgi>df -F `perl -e "print 't'x3632"` Segmentation fault
exrecover: -------- sancerre: /home/qgiorgi>ll `which exrecover` -r-sr-xr-x 1 root bin 20480 May 30 1996 /usr/lbin/exrecover
sancerre: /home/qgiorgi>exrecover anythingUwant `perl -e "print 't'x4703"` File not found sancerre: /home/qgiorgi>exrecover anythingUwant `perl -e "print 't'x4704"` Segmentation fault
And eventually, but it is owned by uucp i think it's less interesting. uusub: ----- sancerre: /home/qgiorgi>ll `which uusub` -r-sr-xr-x 1 uucp bin 32768 May 30 1996 /usr/lib/uucp/uusub sancerre: /home/qgiorgi>uusub -a `perl -e "print 't'x212"` sancerre: /home/qgiorgi> sancerre: /home/qgiorgi>uusub -a `perl -e "print 't'x213"` Segmentation fault
I also try this onHPUX 11.00 (9911) uusub works with length of 225 exrecover works with length > 2700
I hope this could help.
---------------------------------------------------------------------------
Quentin GIORGI Network Engineer E.I.C IDA ---------------------------------------------------------------------------
- Next message: Peter J . Holzer: "Re: Identifying SUN Solaris Machines using ICMP Address Mask Requests with a little twist"
- Previous message: Nicolas Rachinsky: "Re: Escalation of privileges"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]