Re: Can anyone verify a core dump on /sbin/mingetty

From: dr john halewood (johnat_private)
Date: Tue Dec 04 2001 - 03:45:41 PST

Next message: Blue Boar: "Potential hole in Ettercap 0.6.2"

Previous message: Jeffrey Denton: "Re: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping core"
In reply to: smackenz: "Can anyone verify a core dump on /sbin/mingetty"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Monday 03 December 2001 14:46, smackenz wrote:
> *nix Issue - Anyone with 'mingetty':
> [m0le@mainframe m0le]$ /sbin/mingetty `perl -e 'print "A"x9000'`
> Segmentation fault (core dumped)

strace'ing the program quickly reveals the problem:
chown("/dev/AA[stripped]AAA,0, 0) = -1 ENAMETOOLONG (File name too long)
--- SIGSEGV (Segmentation fault) ---

If you look at around line 180 of mingetty.c you'll find the problem
        char buf[20];
        int fd;

        /* Set up new standard input. */
        strcpy (buf, "/dev/");
        strcat (buf, tty);
        if (chown (buf, 0, 0) || chmod (buf, 0600))
                error ("%s: %s", buf, sys_errlist[errno]);

Basically a good old buffer overflow caused by insecure string handling. The 
fix is trivial.

Generating an exploit from it may be a little more tricky. I've tried it on a 
number of machines and found the segfault to occur at different points each 
time, but generally around 270 characters on ia32 and ~400 on an alpha. 

cheers
john

Next message: Blue Boar: "Potential hole in Ettercap 0.6.2"
Previous message: Jeffrey Denton: "Re: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping core"
In reply to: smackenz: "Can anyone verify a core dump on /sbin/mingetty"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 09:54:22 PST