Bugtraq mailing list archives

Re: Irix buffer overflow in /bin/df

From: lamontg () HITL WASHINGTON EDU (Lamont Granquist)
Date: Wed, 28 May 1997 07:32:00 -0700


On Sat, 24 May 1997, David Hedley wrote:

The version of 'df' which comes with Irix 6.2, whilst having the buffer
overflow problem, is not vulnerable to this exploit as it is compiled as
a 64bit N32 object and it is virtually impossible to exploit buffer
overflows in such programs.


Tests on an R4400 (Indigo) and an R4600 running 6.2 both were exploitable,
although another R4400 (Onyx) running 6.2 was not exploitable.  Your
mileage may vary.

As David mentioned,

% file /bin/df
/bin/df:        ELF 32-bit MSB mips-2 dynamic executable MIPS - version 1

is exploitable, while,

% file /bin/df
/bin/df:        ELF N32 MSB mips-3 dynamic executable MIPS - version 1

is not.

--
Lamont Granquist <lamontg () hitl washington edu> (206)616-1469 fax:(206)543-5380
Human Interface Technology Lab.  University of Washington.  Seattle, WA
PGP pubkey: finger lamontg () near hitl washington edu

Current thread:

Re: cfingerd vulnerability, (continued)
- - - Re: cfingerd vulnerability Michael Stone (May 25)
    - winnuke in one line of perl5.004 Randal Schwartz (May 25)
    - Re: cfingerd vulnerability Felix von Leitner (May 25)
  - Irix buffer overflow in /bin/df David Hedley (May 24)
    - Re: Irix buffer overflow in /bin/df J.A. Gutierrez (May 24)
    - Irix: Pandora's box opened Yuri Volobuev (May 24)
    - BitchX p139 script the lerPer (May 24)
    - ANNOUNCE: chkwtmp, a wtmp intrusion detection anaylzer (Linux) Silvio Cesare (May 25)
    - Re: ANNOUNCE: chkwtmp, a wtmp intrusion detection anaylzer (Linu Byron COLLIE (May 26)
    - ANNOUNCE: riputils (Linux) Silvio Cesare (May 25)
    - Re: Irix buffer overflow in /bin/df Lamont Granquist (May 28)