Re: /usr/bin/doscmd on BSDI

From: Warner Losh (impat_private)
Date: Wed Mar 17 1999 - 12:05:30 PST

Next message: aleph1at_private: "ISSalert: ISS Security Advisory: Short-Term High-Risk"

Previous message: Bob Beck: "Re: Microsoft's SMTP service broken/stupid"
Maybe in reply to: kasper: "/usr/bin/doscmd on BSDI"
Next in thread: Keith Bostic: "Re: /usr/bin/doscmd on BSDI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <Pine.LNX.3.96.990314002501.15534A-100000at_private> kasper writes:
: finally:~ $ /usr/bin/doscmd `perl -e 'print "A" x 1015'`
: Segmentation fault
:
: doscmd is setuid executable as well.

On FreeBSD, where doscmd wasn't built by default until quite recently,
I was able to reproduce this buffer overflow.  In fixing it, I found
several others that were hard to find/fix and I was able to move the
buffer overflow to a place later in the program :-(.  It appears that
much work will need to be done to rid this program of the buffer
overflows from this one, simple example.

I took the precaution of removing the setgid kmem bit from the
installed binary until these issues can be resolved.  The buffer
overflows look like they could be exploitable, at least in FreeBSD's
version.  I have quite a few core files that show an illegal address
of 0x41414141.

Warner

Next message: aleph1at_private: "ISSalert: ISS Security Advisory: Short-Term High-Risk"
Previous message: Bob Beck: "Re: Microsoft's SMTP service broken/stupid"
Maybe in reply to: kasper: "/usr/bin/doscmd on BSDI"
Next in thread: Keith Bostic: "Re: /usr/bin/doscmd on BSDI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:39:13 PDT