Bugtraq mailing list archives

bof in sdtcm_convert (Solaris 2.5)

From: na98jen () STUDENT HIG SE (Joel Eriksson)
Date: Fri, 23 Oct 1998 19:16:26 +0200


/usr/dt/bin/sdtcm_convert seems to have a buffer-overflow.

Cut'n paste the text below to test for it:
---
cd /tmp
cp /usr/dt/bin/sdtcm_convert test
truss -o blaha ./test -d /tmp `perl -e 'print "A"x10265'`
tail -5 blaha
---

This is what I get:
---
    Incurred fault #6, FLTBOUNDS  %pc = 0xEF4E2EA0
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41004EFC
    Received signal #11, SIGSEGV [default]
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41004EFC
        *** process killed ***            ^^------- ASCII-code for 'A'
---

If I use print "A"x10268 all of the address is 0x41's.

No setuid() in the truss-output, so it does not drop root-privs either..

If I have totally misunderstood something here please let me know, and if
someone manages to write an exploit for it please send it to me. :-)
I 've tried myself but it's not going too well .. :-P

/Joel Eriksson

Current thread:

13 tiny bytes to show the huge sillyness of our great common bt398 (Oct 21)
- Re: 13 tiny bytes to show the huge sillyness of our great common Tero Pelander (Oct 22)
- bof in sdtcm_convert (Solaris 2.5) Joel Eriksson (Oct 23)
- buffer overflow vulnerability in netscape 3.0 to 4.5 Paul Boehm (Oct 23)
  - Re: buffer overflow vulnerability in netscape 3.0 to 4.5 Paul Boehm (Oct 23)