Buffer Overflow in uucp of SunOS 5.8

From: hipnosis hipnosis (hipnosisat_private)
Date: Mon Jan 13 2003 - 11:08:12 PST

Next message: Sylvain Robitaille: "Re: IMP 2.x SQL injection vulnerabilities"

Previous message: Daniel Ahlberg: "GLSA: libpng"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Hi everybody Though I dont know if this vulnerability has be discovered previously I found a buffer overflow in the app uucp of SunOS 5.8 that it could be used to get privileges of uucp. Buffer is overflow when the app uucp is executed with the parameter -s continued of a string bigger than 7525 bytes. hipnosis% uucp -s `perl -e 'print "A"x7526'` Segmentation Fault hipnosis% uucp -s `perl -e 'print "A"x7525'` hipnosis% I have not been able to debug the app for see if the registers are overwrites because i have not any debugger in my machine and i have not too time. My system: hipnosis% uname -a SunOS averroes 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250 hipnosis% Suid: hipnosis% ls -l /usr/bin/uucp ---s--x--x 1 uucp uucp 66940 eno 5 2000 /usr/bin/uucp hipnosis% Well, bye everybody

Next message: Sylvain Robitaille: "Re: IMP 2.x SQL injection vulnerabilities"
Previous message: Daniel Ahlberg: "GLSA: libpng"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 15 2003 - 10:31:30 PST