bof in sdtcm_convert (Solaris 2.5)

From: Joel Eriksson (na98jenat_private)
Date: Fri Oct 23 1998 - 10:16:26 PDT

Next message: Paul Boehm: "Re: buffer overflow vulnerability in netscape 3.0 to 4.5"

Previous message: Flemming S. Johansen: "Netscape "What's Related""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

/usr/dt/bin/sdtcm_convert seems to have a buffer-overflow.

Cut'n paste the text below to test for it:
---
cd /tmp
cp /usr/dt/bin/sdtcm_convert test
truss -o blaha ./test -d /tmp `perl -e 'print "A"x10265'`
tail -5 blaha
---

This is what I get:
---
    Incurred fault #6, FLTBOUNDS  %pc = 0xEF4E2EA0
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41004EFC
    Received signal #11, SIGSEGV [default]
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41004EFC
        *** process killed ***            ^^------- ASCII-code for 'A'
---

If I use print "A"x10268 all of the address is 0x41's.

No setuid() in the truss-output, so it does not drop root-privs either..

If I have totally misunderstood something here please let me know, and if
someone manages to write an exploit for it please send it to me. :-)
I 've tried myself but it's not going too well .. :-P

/Joel Eriksson

Next message: Paul Boehm: "Re: buffer overflow vulnerability in netscape 3.0 to 4.5"
Previous message: Flemming S. Johansen: "Netscape "What's Related""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:20:50 PDT