nonsuid overflows... still at risk?

• Previous message: KF: "bash overflows"
• Next in thread: Alex: "TCSH problems?"
• Reply: Alex: "TCSH problems?"
• Reply: Andrew R. Reiter: "Re: nonsuid overflows... still at risk?"
• Reply: Michal Zalewski: "Re: nonsuid overflows... still at risk?"
• Reply: Bela Lubkin: "Re: nonsuid overflows... still at risk?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here are several binaries on SCO that are not suid however seem to have
classic 
overflows... I was wondering if these could be exploited due to the fact
that a number
of programs calls them. vi pg and more are the binaries in question. 

# SCO_SV frodev 3.2 5.0.6 i386
#  TERM=`perl -e 'print "A" x 7000'`
# export TERM
# vi
Memory fault - core dumped
# pg
Memory fault - core dumped
# more
Memory fault - core dumped

Perhaps vi is exploitable via a suid program calling it?
# ls -al /usr/bin/crontab
lrwxrwxrwx   1 root     root          39 Mar 26 08:23 /usr/bin/crontab
-> /opt/K/SCO/Unix/5.0.6Ga/usr/bin/crontab
# ls -al /opt/K/SCO/Unix/5.0.6Ga/usr/bin/crontab
---x--s--x   1 bin      cron       39940 Jul 28  2000
/opt/K/SCO/Unix/5.0.6Ga/usr/bin/crontab

# ls core*
core
# rm core
# crontab -e
note there was no message about it but there is a new core file. 
# ls core
core

input anyone?

-KF

• Next message: Alex: "TCSH problems?"
• Previous message: KF: "bash overflows"
• Next in thread: Alex: "TCSH problems?"
• Reply: Alex: "TCSH problems?"
• Reply: Andrew R. Reiter: "Re: nonsuid overflows... still at risk?"
• Reply: Michal Zalewski: "Re: nonsuid overflows... still at risk?"
• Reply: Bela Lubkin: "Re: nonsuid overflows... still at risk?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 23:39:18 PDT