ircii-pana (BitchX) 74p4 overflow - exploit/fix

From: Michal Zalewski (lcamtufat_private)
Date: Mon May 25 1998 - 04:28:08 PDT

Next message: Michal Zalewski: "ircii-pana (BitchX) 74p4 overflow"

Previous message: XXX_p6mip300: "linux 2.0 PTE bug"
Next in thread: Richard Braakman: "Re: ircii-pana (BitchX) 74p4 overflow - exploit/fix"
Reply: Richard Braakman: "Re: ircii-pana (BitchX) 74p4 overflow - exploit/fix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-- Risk --

Hemm, after a few minutes, I'm sure BitchX buffer overflow IS exploitable.
I tried about 3000 'A' letters followed by original .plan, and got:

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

I'm assuming almost anyone is able to modify less or more generic
shellcode.

-- Fix --

"All new dgets -- no more trap doors!" - that's from newio.c :-)))

Hemm?:) Here's fix, sufficient at least in above situation.


--- newio.c.orig        Tue Nov 18 04:49:28 1997
+++ newio.c     Mon May 25 13:25:58 1998
@@ -296,7 +296,7 @@
        {
                if (((str[cnt] = ioe->buffer[ioe->read_pos++])) == '\n')
                        break;
-               cnt++;
+               if (++cnt>=BIG_BUFFER_SIZE) ioe->read_pos=ioe->write_pos;
        }

        /*

_______________________________________________________________________
Michal Zalewski [lcamtufat_private] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]

Next message: Michal Zalewski: "ircii-pana (BitchX) 74p4 overflow"
Previous message: XXX_p6mip300: "linux 2.0 PTE bug"
Next in thread: Richard Braakman: "Re: ircii-pana (BitchX) 74p4 overflow - exploit/fix"
Reply: Richard Braakman: "Re: ircii-pana (BitchX) 74p4 overflow - exploit/fix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:54:25 PDT