Re: [ Hackerslab bug_paper ] Linux dump buffer overflow

From: Lamagra Argamal (lamagraat_private)
Date: Fri Mar 03 2000 - 11:53:41 PST

Next message: vwaaijen: "ColdFusion Bug: Application.cfm shows full path"

Previous message: Peter Heath: "NT Roaming Profiles blocked by NAV 7.x for Corp. Edition"
Next in thread: Przemyslaw Frasunek: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

i checked RedHat's 5.2 dump (dump-0.3) and it doesn't seem vunerable in an exploitable way.
There's a minor heap-overflow though:

snipped from optr.c

msg(const char *fmt, ...)
{
	.......
        va_start(ap, fmt);
#else
        va_start(ap);
#endif
        (void) vfprintf(stderr, fmt, ap);
        (void) fflush(stdout);
        (void) fflush(stderr);
        (void) vsprintf(lastmsg, fmt, ap);
        va_end(ap);
	......
}

Lastmsg is a global variable size = 100

-lamagra
http://lamagra.seKure.de
http://www.b0f.com



Send someone a cool Dynamitemail flashcard greeting!! And get rewarded.
GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41

Next message: vwaaijen: "ColdFusion Bug: Application.cfm shows full path"
Previous message: Peter Heath: "NT Roaming Profiles blocked by NAV 7.x for Corp. Edition"
Next in thread: Przemyslaw Frasunek: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:56 PDT