Re: Possible Overflow in ping, Linux?

From: Rui Seabra (rmsat_private)
Date: Fri Apr 20 2001 - 09:57:38 PDT

Next message: Golden_Eternity: "Re: strange script in HTML format mail."

Previous message: Dimitry Andric: "Re: strange script in HTML format mail."
In reply to: Martin Macok: "Re: Possible Overflow in ping, Linux?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well....


I repeated the test describerd below, and the result was this:
open("/lib/libnss_dns.so.2", O_RDONLY)  = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\16\0\000"..., 1024) = 1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=63713, ...}) = 0
old_mmap(NULL, 15644, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40199000
mprotect(0x4019c000, 3356, PROT_NONE)   = 0
old_mmap(0x4019c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x2000) = 0x4019c000
close(3)                                = 0
munmap(0x40018000, 42772)               = 0
write(2, "ping: unknown host AAAAAAAAAAAAA"..., 2020ping: unknown host A(...)AAAAAAAAAAAAAAAAAAA
) = 2020
_exit(2)                                = ?
[rms@greymalkin rms]$ uname -a; rpm -qf `which ping` ; rpm -q glibc nscd
Linux xxxxxxxxxx.xxxx.xx 2.4.3 #2 Thu Apr 19 18:11:50 WEST 2001 i686 unknown
iputils-20001010-1
glibc-2.2-5
package nscd is not installed

No SIGPIPE or anything similar. Just unknown host.
I am in a RH 7.0

On Fri, Apr 20, 2001 at 12:52:34PM +0200, Martin Macok wrote:
> On Wed, Apr 18, 2001 at 06:13:49PM +0200, Boris Gentleman Schauerte wrote:
> > but I'm not sure if it is really a ovflow, I hadn't had enough time
> > to test it in an debugger, but if I call "ping" under Linux (SuSE
> > Linux 7.1) with more than 1020 (tested it with some other lengths)
> > Characters it seems to crash.
> > I don't know if it is a mechanism to secure the program or an fault,
> > or just an too long string without the possibilty to insert
> > shellcode.
>
> Red Hat Linux 7.1:
> % H=`perl -e 'print "A"x2000'`
> % ping $H
> nscd: 426: key length in request too long: 2001
> ping: unknown host AAAAAAA...
> % strace ping $H
> ...
> connect(3, {sin_family=AF_UNIX, path="
>                                              /var/run/.nscd_socket"}, 110) = 0
> write(3, "\2\0\0\0\4\0\0\0\321\7\0\0", 12nscd: 426: key length in request too long: 2001
> ) = 12
> write(3, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 2001) = -1 EPIPE (Broken pipe)
> --- SIGPIPE (Broken pipe) ---
> +++ killed by SIGPIPE +++
>
> % uname -a; rpm -qf `which ping` ; rpm -q glibc nscd
> Linux xxxxx.xxxxx.xxx.xxxx.cz 2.4.4-pre3 #1 Sat Apr 14 10:37:45 CEST 2001 i586 unknown
> iputils-20001110-1
> glibc-2.2.2-10
> nscd-2.2.2-10
>
> > If it is not an overflow or this one is well known, I'm sorry to contacted
> > this group with a fault information.
>
> Have a nice day
>
> --
>    Martin Macok
>   underground.cz
>     openbsd.cz

Next message: Golden_Eternity: "Re: strange script in HTML format mail."
Previous message: Dimitry Andric: "Re: strange script in HTML format mail."
In reply to: Martin Macok: "Re: Possible Overflow in ping, Linux?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Apr 21 2001 - 12:18:23 PDT