Re: Buffer overflows in Minicom 1.80.1

From: M.C.Mar (woloszynat_private)
Date: Mon Aug 31 1998 - 02:13:38 PDT

Next message: Wichert Akkerman: "Re: Buffer overflows in Minicom 1.80.1"

Previous message: Don Lewis: "Re: FreeBSD's RST validation"
Maybe in reply to: Eduardo Navarro: "Buffer overflows in Minicom 1.80.1"
Next in thread: Wichert Akkerman: "Re: Buffer overflows in Minicom 1.80.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 29 Aug 1998, Eduardo Navarro wrote:

> I have found some buffer overflows in Minicom 1.80.1 which comes setuid
> root with Slackware 3.5.  I known that were discussed some overflows in
> other versions of minicom ( no setuid root) but i think it's "new" and
> more dangerous.
>
Hi!

I found that overflows about 2 moths ago and it does not seem to be
exploitable in easy way.
Look at this:

woozle:~> gdb ./minicom
[...]
(gdb) r -t /dev/ttyp`perl -e 'print "A" x 9000'`
[...]
Program received signal SIGSEGV, Segmentation fault.
0x400ae057 in strcpy ()
(gdb) backtrace
#0  0x400ae057 in strcpy ()
#1  0xbfffd638 in ?? ()
#2  0x804981e in free ()
[...]
(gdb) x/i 0x400ae057
0x400ae057 <strcpy+19>: movb   %al,(%ecx,%edx,1)
[...]
(gdb) info registers
eax            0x4806dc41       1208409153
[...]

I tryed to play with data to bypass that, but with no success :(
Same with TERM, and HOME.


Another interesting think is that procmail also contains similar bug:
woozle:~> gdb ./procmail
[...]
(gdb)  r `perl -e 'print "A" x 5000'`
Starting program: /home/emsi/./procmail `perl -e 'print "A" x 5000'`

[You need to type ^D here!!!]

procmail: Couldn't create "/var/spool/mail/emsi"
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x4008a107 in malloc ()

Interesting, isn't it? But look at this:
(gdb)  r `perl -e 'print "A" x 7000'`
[...]
Starting program: /home/emsi/./procmail `perl -e 'print "A" x 7000'`
procmail: Couldn't create "/var/spool/mail/emsi"

Program received signal SIGSEGV, Segmentation fault.
0x4007dfa3 in strncmp ()

But this time, there is something more interesting:
(gdb) x/i 0x4007dfa3
0x4007dfa3 <strncmp+19>:        lodsb  %ds:(%esi),%al
(gdb) info registers
eax            0x41414141       1094795585
esi            0x41414141       1094795585
ds             0x2b     43

Also malloc looks interesting. As in case of minicom it seems  imposible
to me to exploit it, in case of procmail it is much interesting and I
would like to discuss posibility of exploiting it.
Oh, I almost forgot:
woozle:~> ./procmail -v
procmail v3.10 1994/10/31 written and created by Stephen R. van den Berg
                                bergat_private-aachen.de

All has been tested on slackware 3.5.

RegardZ,

Kil3r
--
___________________________________________________________________________
M.C.Mar   An NT server can be run by an idiot, and usually is.   emsiat_private
      "If you can't make it good, make it LOOK good." - Bill Gates
  Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.

Next message: Wichert Akkerman: "Re: Buffer overflows in Minicom 1.80.1"
Previous message: Don Lewis: "Re: FreeBSD's RST validation"
Maybe in reply to: Eduardo Navarro: "Buffer overflows in Minicom 1.80.1"
Next in thread: Wichert Akkerman: "Re: Buffer overflows in Minicom 1.80.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:21 PDT