OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Sebastian Krahmer (krahmersuse.de)
Date: Mon Mar 25 2002 - 07:55:39 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Fri, 22 Mar 2002, Blue R wrote:

    Hi,

    -rwxr-xr-x 1 root root 8232 Sep 20 2001 /usr/bin/addresses

    /usr/bin/addresses binary belongs to the pilot-link package but it is
    neither +s nor does it run as daemon. So even if there is
    an overflow inside it is of no use for attackers.

    regards,
    Sebastian

    > Hi,
    > I am using 2.4.10 and SuSE 7.1, the binary 'addresses' does not give much information with no version options or man page etc. But it has the following behaviour:
    >
    > rblue:~ > addresses
    > usage:addresses /dev/cua??
    >
    > rblue:~ >addresses `perl -e 'print "A" x 131'`
    > pi_bind: No such file or directory
    >
    > rblue:~ >addresses `perl -e 'print "A" x 132'`
    > Segmentation fault
    >
    > rblue:~ >gdb ./addresses
    > GNU gdb 5.0
    > Copyright 2000 Free Software Foundation, Inc.
    > GDB is free software, covered by the GNU General Public License, and you are
    > welcome to change it and/or distribute copies of it under certain conditions.
    > Type "show copying" to see the conditions.
    > There is absolutely no warranty for GDB. Type "show warranty" for details.
    > This GDB was configured as "i386-suse-linux"...(no debugging symbols found)...
    > (gdb) set args `perl -e 'print "A" x 132'`
    > (gdb) r
    > Starting program: /home/r/AUDIT/TEST/./addresses `perl -e 'print "A" x 132'`
    > (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...
    > Program received signal SIGSEGV, Segmentation fault.
    > 0x400afdbb in getenv () from /lib/libc.so.6
    > (gdb) info reg
    > eax 0xbf004141 -1090502335
    > ecx 0x8049ff0 134520816
    > edx 0x4950 18768
    > ebx 0x40198828 1075415080
    > esp 0xbffeee94 0xbffeee94
    > ebp 0xbffeeebc 0xbffeeebc
    > esi 0xbffff500 -1073744640
    > edi 0x4002a622 1073915426
    > eip 0x400afdbb 0x400afdbb
    > eflags 0x210286 2163334
    > cs 0x23 35
    > ss 0x2b 43
    > ds 0x2b 43
    > es 0x2b 43
    > fs 0x0 0
    > gs 0x0 0
    > fctrl 0x37f 895
    > fstat 0x0 0
    > ftag 0xffff 65535
    > fiseg 0x23 35
    > fioff 0x4086106b 1082527851
    > foseg 0x2b 43
    > fooff 0xbfffec18 -1073746920
    > fop 0x518 1304
    >
    > Regards,
    > B.
    >
    >
    > 

    -- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmersuse.de - SuSE Security Team
~