On Tue, 7 Mar 2000, Lamagra Argamal wrote: > On FreeBSD dump has the same hole i describes in my previous post. > Only it is exploitable :-) Dump with kerberos has __atexit and > __cleanup after all the other variables on the heap. By overwriting > these variables you can start your shellcode. > > Most of the credits should go to zen-parse who found and tested this. This was fixed on 1999/11/30 in 4.0-CURRENT by internal security auditing and backported to 3.3-STABLE on 1999/12/13. Therefore FreeBSD 3.4 (the most recent release) is not vulnerable. On the one hand, I'm glad you checked FreeBSD for vulnerability, but on the other hand it would be kinda nice to at least check the most recent release if not the -stable branch, instead of something more than 3 months out of date. Or failing that, to at least state which version it was that you found to be vulnerable :-( ---------------------------- revision 1.9 date: 1999/11/10 18:11:16; author: imp; state: Exp; lines: +2 -2 vsprintf -> vsnprintf in msg(). ---------------------------- ---------------------------- revision 1.5.2.3 date: 1999/12/13 15:53:13; author: imp; state: Exp; lines: +2 -2 Back merge buffer overflow in static buffer ---------------------------- ----SNIP (void) vfprintf(stderr, fmt, ap); (void) fflush(stdout); (void) fflush(stderr); (void) vsnprintf(lastmsg, sizeof(lastmsg), fmt, ap); va_end(ap); ----SNIP Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <forsytheat_private>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:20 PDT