Bugtraq mailing list archives
bof in sdtcm_convert (Solaris 2.5)
From: na98jen () STUDENT HIG SE (Joel Eriksson)
Date: Fri, 23 Oct 1998 19:16:26 +0200
/usr/dt/bin/sdtcm_convert seems to have a buffer-overflow. Cut'n paste the text below to test for it: --- cd /tmp cp /usr/dt/bin/sdtcm_convert test truss -o blaha ./test -d /tmp `perl -e 'print "A"x10265'` tail -5 blaha --- This is what I get: --- Incurred fault #6, FLTBOUNDS %pc = 0xEF4E2EA0 siginfo: SIGSEGV SEGV_MAPERR addr=0x41004EFC Received signal #11, SIGSEGV [default] siginfo: SIGSEGV SEGV_MAPERR addr=0x41004EFC *** process killed *** ^^------- ASCII-code for 'A' --- If I use print "A"x10268 all of the address is 0x41's. No setuid() in the truss-output, so it does not drop root-privs either.. If I have totally misunderstood something here please let me know, and if someone manages to write an exploit for it please send it to me. :-) I 've tried myself but it's not going too well .. :-P /Joel Eriksson
Current thread:
- 13 tiny bytes to show the huge sillyness of our great common bt398 (Oct 21)
- Re: 13 tiny bytes to show the huge sillyness of our great common Tero Pelander (Oct 22)
- bof in sdtcm_convert (Solaris 2.5) Joel Eriksson (Oct 23)
- buffer overflow vulnerability in netscape 3.0 to 4.5 Paul Boehm (Oct 23)
- Re: buffer overflow vulnerability in netscape 3.0 to 4.5 Paul Boehm (Oct 23)