('binary' encoding is not supported, stored as-is) ====================================== ==== = Pine Overflow Tested in RedHat 7.0 and others = =----------------------------------------= = Author: Andrei Tudorache = =----------------------------------------= = Email: aramisat_private = =----------------------------------------= ====================================== ==== I've found a problem in pine, which is located in "/usr/bin/pine". Here are some tests I've made in << PINE 4.21 >>. Take a look at my test: [root@softly /root]# pine -attach `perl -e 'print "A" x 20429'` Segmentation fault (core dumped) [root@softly /root]# gdb output: ========== Core was generated by `pine -attach AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libncurses.so.5...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libncurses.so.5 Reading symbols from /lib/libcrypt.so.1...done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /usr/kerberos/lib/libgssapi_krb5.so.2...done. Loaded symbols for /usr/kerberos/lib/libgssapi_krb5.so.2 Reading symbols from /usr/kerberos/lib/libkrb5.so.3...done. Loaded symbols for /usr/kerberos/lib/libkrb5.so.3 Reading symbols from /usr/kerberos/lib/libk5crypto.so.3...done. Loaded symbols for /usr/kerberos/lib/libk5crypto.so.3 Reading symbols from /usr/kerberos/lib/libcom_err.so.3...done. Loaded symbols for /usr/kerberos/lib/libcom_err.so.3 Reading symbols from /usr/lib/libssl.so.0...done. Loaded symbols for /usr/lib/libssl.so.0 Reading symbols from /usr/lib/libcrypto.so.0...done. Loaded symbols for /usr/lib/libcrypto.so.0 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /lib/libnss_nisplus.so.2...done. Loaded symbols for /lib/libnss_nisplus.so.2 Reading symbols from /lib/libnsl.so.1...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /lib/libnss_nis.so.2...done. Loaded symbols for /lib/libnss_nis.so.2 #0 0x812a375 in strcpy () at ../sysdeps/generic/strcpy.c:31 31 ../sysdeps/generic/strcpy.c: No such file or directory. then take a look at the registers: ==================================== (gdb) info all-registers eax 0x0 0 ecx 0x0 0 edx 0xbfff6054 -1073782700 ebx 0x0 0 esp 0xbfff6184 0xbfff6184 ebp 0xbfff618c 0xbfff618c esi 0x0 0 edi 0x0 0 eip 0x812a375 0x812a375 eflags 0x10246 66118 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x2b 43 gs 0x2b 43 st0 0 (raw 0x00000000000000000000) st1 0 (raw 0x00000000000000000000) st2 0 (raw 0x00000000000000000000) st3 0 (raw 0x00000000000000000000) st4 0 (raw 0x00000000000000000000) st5 0 (raw 0x00000000000000000000) st6 0 (raw 0x00000000000000000000) st7 0 (raw 0x00000000000000000000) fctrl 0x0 0 fstat 0x0 0 ftag 0x0 0 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 (gdb) I did't waste my time writing an exploit because this: [root@softly /root]# ls -al `which pine` -rwxr-xr-x 1 root root 2680348 Aug 24 2000 /usr/bin/pine [root@softly /root]# --==Aramis==--
This archive was generated by hypermail 2b30 : Thu Feb 21 2002 - 10:52:42 PST