> while i was playing with the finger command, i got a coredump when > i submit > > finger aaaa ( 200 random caracters ) > > i wonder if this is a possible security hole because the finger > command is owned by bin group. The situation is far worse, if fingerd is run (which invokes finger). > my HP-UX is A.09.05 A 9000/73 > > sorry if this is an old bug i didn t had the time to check the archive > and forgive me for my broken english :) When I first noticed this some years ago, I didn't find anything about it in any archives. But the hole should prove hard to exploit anyway - at least for the m68k hpux version, the overflow was in the malloc() area - it cores after a second call to malloc(). So standard techniques won't apply, but it should be possible to direct the write to the second malloced() area to any memory location. Walter
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:54:54 PDT