m4 and format strings

From: KF (dotslashat_private)
Date: Tue Jun 26 2001 - 10:29:18 PDT

Next message: Dennis McHenry: "Re: Getting passwords from the heap?"

Previous message: H D Moore: "Re: Getting passwords from the heap?"
Next in thread: Jarno Huuskonen: "Re: m4 and format strings"
Reply: Jarno Huuskonen: "Re: m4 and format strings"
Reply: Samy Kamkar [CommPort5]: "Re: m4 and format strings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I noticed on NT my m4 binary had format strings issues... 

bash-2.02$ uname -a
CYGWIN_NT-4.0 TERMSRV 20.1 (0.3/1/1) 1998-12-3 20:39:18 i686 unknown

bash-2.02$ m4  %s%s%s
[main] c:\cygnus\CYGWIN~1\H-I586~1\bin\m4.exe 1015 (0)
handle_exceptions:
Except
ion: STATUS_ACCESS_VIOLATION
[main] m4 1015 (0) handle_exceptions: Dumping stack trace to m4.exe.core


[main] m4 1003 (0) exception: trapped!
[main] m4 1003 (0) exception: code 0xC0000005 at 0x6102C597
[main] m4 1003 (0) exception: ax 0x45 bx 0xE cx 0xA036220 dx 0x0
[main] m4 1003 (0) exception: si 0xA036256 di 0x241FD24 bp 0x241FCF8 sp
0x241FBCC
[main] m4 1003 (0) exception: exception is: STATUS_ACCESS_VIOLATION
[main] m4 1003 (0) stack: Stack trace:
[main] m4 1003 (0) stack: frame 0: sp = 0x241F9E0, pc = 0x6100A2C3
[main] m4 1003 (0) stack: frame 1: sp = 0x241FA1C, pc = 0x77F97B06
[main] m4 1003 (0) stack: frame 2: sp = 0x241FA40, pc = 0x77F899D7
[main] m4 1003 (0) stack: frame 3: sp = 0x241FACC, pc = 0x77F76A12
[main] m4 1003 (0) stack: frame 4: sp = 0x241FCF8, pc = 0x6102C670
[main] m4 1003 (0) stack: frame 5: sp = 0x241FD0C, pc = 0x6100BE89
[main] m4 1003 (0) stack: frame 6: sp = 0x241FD2C, pc = 0x6100DAF8
[main] m4 1003 (1) stack: frame 7: sp = 0x241FE80, pc = 0x610309D1
[main] m4 1003 (0) stack: frame 8: sp = 0x241FEB4, pc = 0x6105D7E2
[main] m4 1003 (0) stack: frame 9: sp = 0x241FEC8, pc = 0x610527CF
[main] m4 1003 (0) stack: frame 10: sp = 0x241FEF8, pc = 0x6105283A
[main] m4 1003 (0) stack: frame 11: sp = 0x241FF0C, pc = 0x40BF1C
[main] m4 1003 (0) stack: frame 12: sp = 0x241FF28, pc = 0x402256
[main] m4 1003 (0) stack: frame 13: sp = 0x241FF40, pc = 0x61004402
[main] m4 1003 (0) stack: frame 14: sp = 0x241FF88, pc = 0x61004420
[main] m4 1003 (0) stack: frame 15: sp = 0x241FF94, pc = 0x4131CA
[main] m4 1003 (0) stack: End of stack trace (more stack frames may be
present)

so I decided to check my unix box also... 

[elguapo@linux elguapo]$ m4 %x,%x,%x,%x,%x,%x,%x
m4: 0,bffff818,4000d2ce,805df78,8048c56,4002e0bc,4014af2c: No such file
or directory

can anyone think of a situation where this could cause root 
to be exploitated... m4 is not suid to my understanding. 

-KF

Next message: Dennis McHenry: "Re: Getting passwords from the heap?"
Previous message: H D Moore: "Re: Getting passwords from the heap?"
Next in thread: Jarno Huuskonen: "Re: m4 and format strings"
Reply: Jarno Huuskonen: "Re: m4 and format strings"
Reply: Samy Kamkar [CommPort5]: "Re: m4 and format strings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 23:40:24 PDT