lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <E3ACF3CD-EF11-11D8-A3C7-000D93C0F38C@teknovis.com> From: andfarm at teknovis.com (Andrew Farmer) Subject: some small bugs. On 15 Aug 2004, at 05:49, Noam Rathaus wrote: > On Sunday 15 August 2004 00:32, Gabriele Galadini wrote: >> Hi all, >> >> i've found some packages on obsd current version >> (3.5) on arch x86, give me return problems. >> >> I explain: >> >> mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 4387'` >> mtv@...cuzio~$ dpsinfo >> Segmentation fault >> mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 4387'` >> mtv@...cuzio~$ dpsinfo >> Segmentation fault >> mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 5763'` >> mtv@...cuzio~$ dpsexec >> Segmentation fault >> mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 1619'` >> mtv@...cuzio~$ mwm >> Segmentation fault >> mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 2915'` >> mtv@...cuzio~$ xv >> Segmentation fault >> mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 1013'` >> mtv@...cuzio~$ abiword >> Segmentation fault >> >> shell used is bash version 2.05b >> >> regards, >> G. > Hi, > > Under Debian: > > #ll -l /usr/bin/X11/dpsinfo > -rwxr-xr-x 1 root root 6456 Jul 7 18:07 > /usr/bin/X11/dpsinfo > > # gdb dpsinfo > GNU gdb 6.1-debian > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and > you are > welcome to change it and/or distribute copies of it under certain > conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for > details. > This GDB was configured as "i386-linux"...(no debugging symbols > found)...Using > host libthread_db library "/lib/tls/libthread_db.so.1". > > (gdb) r > Starting program: /usr/X11R6/bin/dpsinfo > (no debugging symbols found)...(no debugging symbols found)...(no > debugging > symbols found)...(no debugging symbols found)...(no debugging symbols > found)...(no debugging symbols found)...(no debugging symbols > found)...(no > debugging symbols found)...(no debugging symbols found)...(no debugging > symbols found)...(no debugging symbols found)...(no debugging symbols > found)... > Program received signal SIGSEGV, Segmentation fault. > 0x41414141 in ?? () > (gdb) bt > #0 0x41414141 in ?? () > > ---- > > # ll /usr/bin/X11/dpsexec > -rwxr-xr-x 1 root root 8184 Jul 7 18:07 > /usr/bin/X11/dpsexec > > # gdb dpsexec > GNU gdb 6.1-debian > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and > you are > welcome to change it and/or distribute copies of it under certain > conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for > details. > This GDB was configured as "i386-linux"...(no debugging symbols > found)...Using > host libthread_db library "/lib/tls/libthread_db.so.1". > > (gdb) r > Starting program: /usr/X11R6/bin/dpsexec > (no debugging symbols found)...(no debugging symbols found)...(no > debugging > symbols found)...(no debugging symbols found)...(no debugging symbols > found)...(no debugging symbols found)...(no debugging symbols > found)...(no > debugging symbols found)...(no debugging symbols found)...(no debugging > symbols found)...(no debugging symbols found)...(no debugging symbols > found)... > Program received signal SIGSEGV, Segmentation fault. > 0x41414141 in ?? () > > ---- > > So Debian is also vulnerable, both these binaries come with the > xbase-clients > package. However, the overflow does not lead to a security breach - none of the programs in question are suid, so all you can do with an exploit is get a shell. Which you already had, because you just launched the program from it :-) In any case, the situation in which the bug shows up is so implausible ($HOME thousands of characters long) that it's barely worth fixing. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040815/f30f9815/PGP.bin
Powered by blists - more mailing lists