the joke continue

From: Izik (izikat_private)
Date: Mon Nov 12 2001 - 01:40:22 PST

Next message: William Salusky: "Fwd: Possible DDOS network being built through ssh1 crc compromised hosts"

Previous message: Clover Andrew: "Re: Microsoft IE cookies readable via about: URLS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello

after looking on the vim buffer overflow, i couldn't wonder what if 
other editors will be bugged as well.
to my suprise i've found 3 more programs (mcedit, ed, joe). but then 
again none of them are suid. so it's harmless.

(root@izik [~])# uname -a
Linux izik 2.2.19 #93 Thu Jun 21 01:09:03 PDT 2001 i686 unknown
(root@izik [~])# cat /etc/slackware-version
8.0.0 (åtta)
(root@izik [~])#

[mcedit (part of The Midnight Commander 4.5.51)]

(root@izik [~])# ls -la /usr/bin/mcedit
lrwxrwxrwx    1 root     root            2 Jul  2 17:50 /usr/bin/mcedit 
-> mc*
(root@izik [~])#

i've found one segfault, buffer should be at least 4048 bytes. i 
couldn't managed to debug it trough gdb
from obvsious reasons. (ncourses)

[ed (no idea what version)]

(root@izik [~])# ls -al /bin/ed
-rwxr-xr-x    1 root     bin         67396 May 31 00:17 /bin/ed*
(root@izik [~])#

i've found 4 segfaults. for diff functions via diff buffers.

(segfault #1 , 4100 - 4140)
Program received signal SIGSEGV, Segmentation fault.
chunk_free (ar_ptr=0x4012acc0, p=0x805b318) at malloc.c:3083
3083    malloc.c: No such file or directory.

(segfault #2 , 4141 - 4152)
Program received signal SIGSEGV, Segmentation fault.
__libc_free (mem=0x41414141) at malloc.c:3039
3039    malloc.c: No such file or directory.

(segfault #3 , 4153 - 4175)
Program received signal SIGSEGV, Segmentation fault.
0x4008c1f6 in _IO_old_fclose (fp=0x805b320) at oldiofclose.c:55
55      oldiofclose.c: No such file or directory.

(segfault #4 , 4176 - .... )
Program received signal SIGSEGV, Segmentation fault.
0x4008c1f6 in _IO_old_fclose (fp=0x805b320) at oldiofclose.c:55
55      oldiofclose.c: No such file or directory.

[joe (v2.9.5)]

(root@izik [~])# ls -al /usr/bin/joe
-rwxr-xr-x    1 root     bin        174908 Apr  9  2001 /usr/bin/joe*
(root@izik [~])#

i've pushed ctrl+c after the buffer was procssed, you can segfault on 
diff. functions dep on your
action in the program. 

(segfault #1 , 1024)
 
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

--

izik @ http://www.tty64.org

Next message: William Salusky: "Fwd: Possible DDOS network being built through ssh1 crc compromised hosts"
Previous message: Clover Andrew: "Re: Microsoft IE cookies readable via about: URLS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 08:25:31 PST