Re: VIM Buffer Overflow

From: KF (dotslashat_private)
Date: Fri Feb 15 2002 - 14:23:12 PST

Next message: Benjamin P. Grubin: "RE: Infecting the KaZaA network? (moving here thread from 'traq)"

Previous message: Kurt Seifried: "Re: slocate bug."
In reply to: Aramis Orlando: "VIM Buffer Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I found this a while back and there was a whole nonsuid overflow 
discussion over it...
http://www.security-focus.com/cgi-bin/archive.pl?id=82&start=2002-02-13&end=2002-02-19&threads=1&tid=189062
-KF

Aramis Orlando wrote:

> 
> ======================================
> ====
> =  VI Overflow Tested in RedHat 7.0/7.1/7.2  =
> =----------------------------------------=
> =  Author:  Andrew Tofan                 =
> =----------------------------------------=
> =  Email:   aramisat_private            =
> =----------------------------------------=
> ======================================
> ====
> 
> 
> I've found a problem in vi
> , which is located in /bin/vi". 
> Here are some tests I've made in << VIM version 
> 5.7.8>>.
> 
> Take a look at my test:
> 
> [root@softly /root]# vi -t "`perl -e 'printf "A"x9000'`"
> [root@softly /root]# gdb vi core
> gdb output:
> ==========
> 
> Program terminated with signal 11, Segmentation 
> fault.
> Reading symbols from /lib/libtermcap.so.2...(no 
> debugging symbols found)...done.
> Loaded symbols for /lib/libtermcap.so.2
> Reading symbols from /lib/libc.so.6...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib/ld-linux.so.2...done.
> Loaded symbols for /lib/ld-linux.so.2
> Reading symbols from /lib/libnss_files.so.2...done.
> Loaded symbols for /lib/libnss_files.so.2
> #0  0x80644a7 in strcpy () 
> at ../sysdeps/generic/strcpy.c:31
> 31      ../sysdeps/generic/strcpy.c: No such file or 
> directory.
> 
> then take a look at the registers:
> ====================================
> (gdb) info registers
> eax            0x41414141       1094795585
> ecx            0x41414141       1094795585
> edx            0x1      1
> ebx            0x1      1
> esp            0xbfffd1c4       0xbfffd1c4
> ebp            0xbfffd1dc       0xbfffd1dc
> esi            0x41414141       1094795585
> edi            0x0      0
> eip            0x80644a7        0x80644a7
> eflags         0x10206  66054
> cs             0x23     35
> ss             0x2b     43
> ds             0x2b     43
> es             0x2b     43
> fs             0x2b     43
> gs             0x2b     43
> fctrl          0x0      0
> fstat          0x0      0
> ftag           0x0      0
> fiseg          0x0      0
> fioff          0x0      0
> foseg          0x0      0
> fooff          0x0      0
> fop            0x0      0
> I did't waste my time writing an exploit becouse this:
> -rwxr-xr-x    1 root     root       361852 Aug  7  
> 2000 /bin/vi
> 
> --==Aramis==--
> 
> 
>

Next message: Benjamin P. Grubin: "RE: Infecting the KaZaA network? (moving here thread from 'traq)"
Previous message: Kurt Seifried: "Re: slocate bug."
In reply to: Aramis Orlando: "VIM Buffer Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Feb 16 2002 - 09:06:58 PST