In message <Pine.LNX.3.96.990314002501.15534A-100000at_private> kasper writes: : finally:~ $ /usr/bin/doscmd `perl -e 'print "A" x 1015'` : Segmentation fault : : doscmd is setuid executable as well. On FreeBSD, where doscmd wasn't built by default until quite recently, I was able to reproduce this buffer overflow. In fixing it, I found several others that were hard to find/fix and I was able to move the buffer overflow to a place later in the program :-(. It appears that much work will need to be done to rid this program of the buffer overflows from this one, simple example. I took the precaution of removing the setgid kmem bit from the installed binary until these issues can be resolved. The buffer overflows look like they could be exploitable, at least in FreeBSD's version. I have quite a few core files that show an illegal address of 0x41414141. Warner
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:39:13 PDT