|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Andrei Tudorache (aramis
easynet.ro)Date: Thu Feb 21 2002 - 01:56:42 CST
('binary' encoding is not supported, stored as-is)
======================================
====
= Pine Overflow Tested in RedHat 7.0 and others =
=----------------------------------------=
= Author: Andrei Tudorache =
=----------------------------------------=
= Email: aramiseasynet.ro =
=----------------------------------------=
======================================
====
I've found a problem in pine, which is located
in "/usr/bin/pine".
Here are some tests I've made in << PINE 4.21 >>.
Take a look at my test:
[rootsoftly /root]# pine -attach `perl -e 'print "A" x
20429'`
Segmentation fault (core dumped)
[rootsoftly /root]#
gdb output:
==========
Core was generated by `pine -attach
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation
fault.
Reading symbols from /usr/lib/libncurses.so.5...(no
debugging symbols found)...done.
Loaded symbols for /usr/lib/libncurses.so.5
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols
from /usr/kerberos/lib/libgssapi_krb5.so.2...done.
Loaded symbols
for /usr/kerberos/lib/libgssapi_krb5.so.2
Reading symbols
from /usr/kerberos/lib/libkrb5.so.3...done.
Loaded symbols for /usr/kerberos/lib/libkrb5.so.3
Reading symbols
from /usr/kerberos/lib/libk5crypto.so.3...done.
Loaded symbols for /usr/kerberos/lib/libk5crypto.so.3
Reading symbols
from /usr/kerberos/lib/libcom_err.so.3...done.
Loaded symbols for /usr/kerberos/lib/libcom_err.so.3
Reading symbols from /usr/lib/libssl.so.0...done.
Loaded symbols for /usr/lib/libssl.so.0
Reading symbols from /usr/lib/libcrypto.so.0...done.
Loaded symbols for /usr/lib/libcrypto.so.0
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_nisplus.so.2...done.
Loaded symbols for /lib/libnss_nisplus.so.2
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libnss_nis.so.2...done.
Loaded symbols for /lib/libnss_nis.so.2
#0 0x812a375 in strcpy ()
at ../sysdeps/generic/strcpy.c:31
31 ../sysdeps/generic/strcpy.c: No such file or
directory.
then take a look at the registers:
====================================
(gdb) info all-registers
eax 0x0 0
ecx 0x0 0
edx 0xbfff6054 -1073782700
ebx 0x0 0
esp 0xbfff6184 0xbfff6184
ebp 0xbfff618c 0xbfff618c
esi 0x0 0
edi 0x0 0
eip 0x812a375 0x812a375
eflags 0x10246 66118
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x2b 43
gs 0x2b 43
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x0 0
fstat 0x0 0
ftag 0x0 0
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
(gdb)
I did't waste my time writing an exploit because this:
[rootsoftly /root]# ls -al `which pine`
-rwxr-xr-x 1 root root 2680348 Aug 24
2000 /usr/bin/pine
[rootsoftly /root]#
--==Aramis==--
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]