On Fri, 22 Mar 2002, Blue R wrote: Hi, -rwxr-xr-x 1 root root 8232 Sep 20 2001 /usr/bin/addresses /usr/bin/addresses binary belongs to the pilot-link package but it is neither +s nor does it run as daemon. So even if there is an overflow inside it is of no use for attackers. regards, Sebastian > Hi, > I am using 2.4.10 and SuSE 7.1, the binary 'addresses' does not give much information with no version options or man page etc. But it has the following behaviour: > > r@blue:~ > addresses > usage:addresses /dev/cua?? > > r@blue:~ >addresses `perl -e 'print "A" x 131'` > pi_bind: No such file or directory > > r@blue:~ >addresses `perl -e 'print "A" x 132'` > Segmentation fault > > r@blue:~ >gdb ./addresses > GNU gdb 5.0 > Copyright 2000 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you are > welcome to change it and/or distribute copies of it under certain conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for details. > This GDB was configured as "i386-suse-linux"...(no debugging symbols found)... > (gdb) set args `perl -e 'print "A" x 132'` > (gdb) r > Starting program: /home/r/AUDIT/TEST/./addresses `perl -e 'print "A" x 132'` > (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... > Program received signal SIGSEGV, Segmentation fault. > 0x400afdbb in getenv () from /lib/libc.so.6 > (gdb) info reg > eax 0xbf004141 -1090502335 > ecx 0x8049ff0 134520816 > edx 0x4950 18768 > ebx 0x40198828 1075415080 > esp 0xbffeee94 0xbffeee94 > ebp 0xbffeeebc 0xbffeeebc > esi 0xbffff500 -1073744640 > edi 0x4002a622 1073915426 > eip 0x400afdbb 0x400afdbb > eflags 0x210286 2163334 > cs 0x23 35 > ss 0x2b 43 > ds 0x2b 43 > es 0x2b 43 > fs 0x0 0 > gs 0x0 0 > fctrl 0x37f 895 > fstat 0x0 0 > ftag 0xffff 65535 > fiseg 0x23 35 > fioff 0x4086106b 1082527851 > foseg 0x2b 43 > fooff 0xbfffec18 -1073746920 > fop 0x518 1304 > > Regards, > B. > > > -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmerat_private - SuSE Security Team ~
This archive was generated by hypermail 2b30 : Mon Mar 25 2002 - 09:31:27 PST