On Monday 03 December 2001 14:46, smackenz wrote: > *nix Issue - Anyone with 'mingetty': > [m0le@mainframe m0le]$ /sbin/mingetty `perl -e 'print "A"x9000'` > Segmentation fault (core dumped) strace'ing the program quickly reveals the problem: chown("/dev/AA[stripped]AAA,0, 0) = -1 ENAMETOOLONG (File name too long) --- SIGSEGV (Segmentation fault) --- If you look at around line 180 of mingetty.c you'll find the problem char buf[20]; int fd; /* Set up new standard input. */ strcpy (buf, "/dev/"); strcat (buf, tty); if (chown (buf, 0, 0) || chmod (buf, 0600)) error ("%s: %s", buf, sys_errlist[errno]); Basically a good old buffer overflow caused by insecure string handling. The fix is trivial. Generating an exploit from it may be a little more tricky. I've tried it on a number of machines and found the segfault to occur at different points each time, but generally around 270 characters on ia32 and ~400 on an alpha. cheers john
This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 09:54:22 PST