On Wed, Apr 11, 2001 at 05:50:39PM +0200, Johnny Cyberpunk wrote: > This Problem could allow an attacker to execute code on the stack and gain > access to the system. You should take a look at the source of Solaris. It's free and designed to assist in such situations. gdb logs don't help that much. The problem occurs in the function expand() that is called from the following functions: glob() -> collect() -> acollect() -> expand(). The segmentation fault is caused by copying the global variable home to gpath. home is NULL if gethdir() hasn't been called or returned an error. strcpy() fails. Expanding the CWD command with more arguments, e.g. cwd ~/ffffffff... doesn't affect the home variable, this problem is not a buffer overflow. It's very unlikely that a NULL pointer in home can be used to place any code on the stack. I don't believe that there will be a proof of concept for exploiting this vulnerablitity to gain any privileges. But I am willing to learn... ;) Regards, Konrad -- Konrad Rieck <krat_private> Roqefellaz - http://www.r0q.cx, GPG Public Key http://www.r0q.cx/keys/kr.pub -- Fingerprint: 3AA8 CF92 C179 9760 C3B3 1B43 33B6 9221 AFBF 5897
This archive was generated by hypermail 2b30 : Mon Apr 16 2001 - 22:25:43 PDT