Bugtraq mailing list archives
Re: Buffer overflows in Minicom 1.80.1
From: woloszyn () IT PL (M.C.Mar)
Date: Mon, 31 Aug 1998 11:13:38 +0200
On Sat, 29 Aug 1998, Eduardo Navarro wrote:
I have found some buffer overflows in Minicom 1.80.1 which comes setuid root with Slackware 3.5. I known that were discussed some overflows in other versions of minicom ( no setuid root) but i think it's "new" and more dangerous.
Hi! I found that overflows about 2 moths ago and it does not seem to be exploitable in easy way. Look at this: woozle:~> gdb ./minicom [...] (gdb) r -t /dev/ttyp`perl -e 'print "A" x 9000'` [...] Program received signal SIGSEGV, Segmentation fault. 0x400ae057 in strcpy () (gdb) backtrace #0 0x400ae057 in strcpy () #1 0xbfffd638 in ?? () #2 0x804981e in free () [...] (gdb) x/i 0x400ae057 0x400ae057 <strcpy+19>: movb %al,(%ecx,%edx,1) [...] (gdb) info registers eax 0x4806dc41 1208409153 [...] I tryed to play with data to bypass that, but with no success :( Same with TERM, and HOME. Another interesting think is that procmail also contains similar bug: woozle:~> gdb ./procmail [...] (gdb) r `perl -e 'print "A" x 5000'` Starting program: /home/emsi/./procmail `perl -e 'print "A" x 5000'` [You need to type ^D here!!!] procmail: Couldn't create "/var/spool/mail/emsi" (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x4008a107 in malloc () Interesting, isn't it? But look at this: (gdb) r `perl -e 'print "A" x 7000'` [...] Starting program: /home/emsi/./procmail `perl -e 'print "A" x 7000'` procmail: Couldn't create "/var/spool/mail/emsi" Program received signal SIGSEGV, Segmentation fault. 0x4007dfa3 in strncmp () But this time, there is something more interesting: (gdb) x/i 0x4007dfa3 0x4007dfa3 <strncmp+19>: lodsb %ds:(%esi),%al (gdb) info registers eax 0x41414141 1094795585 esi 0x41414141 1094795585 ds 0x2b 43 Also malloc looks interesting. As in case of minicom it seems imposible to me to exploit it, in case of procmail it is much interesting and I would like to discuss posibility of exploiting it. Oh, I almost forgot: woozle:~> ./procmail -v procmail v3.10 1994/10/31 written and created by Stephen R. van den Berg berg () pool informatik rwth-aachen de All has been tested on slackware 3.5. RegardZ, Kil3r -- ___________________________________________________________________________ M.C.Mar An NT server can be run by an idiot, and usually is. emsi () it pl "If you can't make it good, make it LOOK good." - Bill Gates Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.
Current thread:
- Re: Webmail.bellsouth.net security problems, (continued)
- Re: Webmail.bellsouth.net security problems Edward S. Marshall (Aug 25)
- Re: Webmail.bellsouth.net security problems Kragen (Aug 25)
- [paul () boehm org: [cert-advisory () cert org: CERT Summary CS-98.07]] Paul Boehm (Aug 26)
- [djb () redhat com: Unidentified subject!] Paul Boehm (Aug 26)
- SV: Serious Security Hole in Hotmail Jonathan James (Aug 26)
- Re: Webmail.bellsouth.net security problems Joe (Aug 28)
- [SECURITY] Seyon is vulnerable to a root exploit Martin Schulze (Aug 28)
- Update on Linux unfsd Olaf Kirch (Aug 29)
- Buffer overflows in Minicom 1.80.1 Eduardo Navarro (Aug 29)
- Re: Buffer overflows in Minicom 1.80.1 Alan Brown (Aug 29)
- Re: Buffer overflows in Minicom 1.80.1 M.C.Mar (Aug 31)
- Re: Buffer overflows in Minicom 1.80.1 Wichert Akkerman (Aug 31)
- buffer overflow in nslookup? Peter van Dijk (Aug 29)
- Re: buffer overflow in nslookup? Brandon Reynolds (Aug 29)
- Re: buffer overflow in nslookup? Peter van Dijk (Aug 30)
- FreeBSD's RST validation Tristan Horn (Aug 30)
- Re: FreeBSD's RST validation James Snow (Aug 30)
- Re: FreeBSD's RST validation Tristan Horn (Aug 30)
- port scanning. (fwd) Darren Reed (Aug 31)
- Re: FreeBSD's RST validation Andrey Alekseyev (Aug 31)
- Re: FreeBSD's RST validation Diane Bruce (Aug 30)