Bugtraq mailing list archives
Possible bufferoverflow condition in lpr, xterm and xload
From: bloodmask () mymail com (bloodmask)
Date: Tue, 13 Aug 1996 07:27:56 +0200
Greetings, Quite surprised by mount's lack of boundry checking (After all, it's been with linux for years) I woke up and started running a simple check up on all the other suid binaries on popular Linux distributions. Anyway, Linux users, be very very afraid, it seems mount isn't alone. Not by a long shot. It seems other binaries on linux and probably on most unix platforms fail to preform this type of simple checkup on the size of command line argument / enviorment variables as in relation to internal buffer size. The check i ran was simple, I coded a command line buffer overflow scanner, which simply attempted to overwrite the stack of all the suid binaries on my system. Suspicious and probably exploitable behavior was a segment of the binary apon execution, with scanner's command line supplied. My midterm results: suspicious behavior in lpr [hoho, this is a quite common suid root binary, in many commercail and non-commercail versions of unix], lpr exhibited the same behavior as mount, by segmenting when supplied with an argument above 1024 bytes. xterm, xload, both segmented when supplied with -display commandline argument / enviroment variable above it's buffer size. Probably exploitable, although i haven't gotten around to veryfing this myself, I'd like to here comments concerning this suspicioun of mine. Err... love to here any comments... C'ya folks
Current thread:
- Re: mail storm, (continued)
- Re: mail storm Dan Stromberg (Aug 12)
- Re: mail storm Arik Baratz (Aug 13)
- Re: mail storm Albert Lunde (Aug 12)
- Re: mail storm Igor Chudov @ home (Aug 12)
- Vulnrability in all known Linux distributions bloodmask (Aug 12)
- Re: Vulnrability in all known Linux distributions Steve Czetty (Aug 13)
- Re: Vulnrability in all known Linux distributions Alan Brown (Aug 13)
- Re: Vulnrability in all known Linux distributions Elliot Lee (Aug 13)
- Re: Vulnrability in all known Linux distributions Alan Cox (Aug 14)
- mount/umount realpath() buffer overflow David J. Meltzer (Aug 13)
- Possible bufferoverflow condition in lpr, xterm and xload bloodmask (Aug 12)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Digital Dreamer (Aug 12)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Casper Dik (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Mike Acar (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Elliot Lee (Aug 13)
- why suid mount (was Re: Possible bufferoverflow condition in lpr, Bryan Reece (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Christopher Masto (Aug 14)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Brian Tao (Aug 15)
- Re: Possible bufferoverflow condition in lpr, xterm and xload *Unknown* (Aug 17)
- Re: libresolv+ bug Theo Van Dinter (Aug 17)
- Re: libresolv+ bug Brian Mitchell (Aug 18)