[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <E3ACF3CD-EF11-11D8-A3C7-000D93C0F38C@teknovis.com>
From: andfarm at teknovis.com (Andrew Farmer)
Subject: some small bugs.
On 15 Aug 2004, at 05:49, Noam Rathaus wrote:
> On Sunday 15 August 2004 00:32, Gabriele Galadini wrote:
>> Hi all,
>>
>> i've found some packages on obsd current version
>> (3.5) on arch x86, give me return problems.
>>
>> I explain:
>>
>> mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 4387'`
>> mtv@...cuzio~$ dpsinfo
>> Segmentation fault
>> mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 4387'`
>> mtv@...cuzio~$ dpsinfo
>> Segmentation fault
>> mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 5763'`
>> mtv@...cuzio~$ dpsexec
>> Segmentation fault
>> mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 1619'`
>> mtv@...cuzio~$ mwm
>> Segmentation fault
>> mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 2915'`
>> mtv@...cuzio~$ xv
>> Segmentation fault
>> mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 1013'`
>> mtv@...cuzio~$ abiword
>> Segmentation fault
>>
>> shell used is bash version 2.05b
>>
>> regards,
>> G.
> Hi,
>
> Under Debian:
>
> #ll -l /usr/bin/X11/dpsinfo
> -rwxr-xr-x 1 root root 6456 Jul 7 18:07
> /usr/bin/X11/dpsinfo
>
> # gdb dpsinfo
> GNU gdb 6.1-debian
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and
> you are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for
> details.
> This GDB was configured as "i386-linux"...(no debugging symbols
> found)...Using
> host libthread_db library "/lib/tls/libthread_db.so.1".
>
> (gdb) r
> Starting program: /usr/X11R6/bin/dpsinfo
> (no debugging symbols found)...(no debugging symbols found)...(no
> debugging
> symbols found)...(no debugging symbols found)...(no debugging symbols
> found)...(no debugging symbols found)...(no debugging symbols
> found)...(no
> debugging symbols found)...(no debugging symbols found)...(no debugging
> symbols found)...(no debugging symbols found)...(no debugging symbols
> found)...
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
> (gdb) bt
> #0 0x41414141 in ?? ()
>
> ----
>
> # ll /usr/bin/X11/dpsexec
> -rwxr-xr-x 1 root root 8184 Jul 7 18:07
> /usr/bin/X11/dpsexec
>
> # gdb dpsexec
> GNU gdb 6.1-debian
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and
> you are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for
> details.
> This GDB was configured as "i386-linux"...(no debugging symbols
> found)...Using
> host libthread_db library "/lib/tls/libthread_db.so.1".
>
> (gdb) r
> Starting program: /usr/X11R6/bin/dpsexec
> (no debugging symbols found)...(no debugging symbols found)...(no
> debugging
> symbols found)...(no debugging symbols found)...(no debugging symbols
> found)...(no debugging symbols found)...(no debugging symbols
> found)...(no
> debugging symbols found)...(no debugging symbols found)...(no debugging
> symbols found)...(no debugging symbols found)...(no debugging symbols
> found)...
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
>
> ----
>
> So Debian is also vulnerable, both these binaries come with the
> xbase-clients
> package.
However, the overflow does not lead to a security breach - none of the
programs
in question are suid, so all you can do with an exploit is get a shell.
Which you already had, because you just launched the program from it :-)
In any case, the situation in which the bug shows up is so implausible
($HOME thousands of characters long) that it's barely worth fixing.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040815/f30f9815/PGP.bin
Powered by blists - more mailing lists