Bugtraq mailing list archives
Re: Solaris /usr/bin/cu Vulnerability
From: Konrad Rieck <kr () R0Q CX>
Date: Thu, 18 Jan 2001 23:57:12 +0100
(Dont know about Solaris 8)
I could reproduce the segmentation fault on Solaris 8 x86 and Sparc. The source of /usr/bin/cu shows that argv[0] is simply strcpy()'ed to a buffer that is only 15 bytes long. Using strncpy() might be a solution. The strange thing is that all other programs that are part of the uucp package copy a constant program name into the buffer and don't use argv[0] at all. (bnuconvert, ct, dial, uucheck, uucico, uucleanup, uucp, uushched, uustat, uux and uuxqt). Well, maybe people at Sun can explain, why it is necessary to retrieve the program name from the arguments in case of cu. I am a total uucp fool and have no clue. cu is only set setuid for the owner uucp and an attacker won't gain any special privileges, but he would gain access to the files in /etc/uucp. Regards, Konrad -- Konrad Rieck <kr () r0q cx> Roqefellaz - http://www.r0q.cx, GPG Public Key http://www.r0q.cx/keys/kr.pub -- Fingerprint: 3AA8 CF92 C179 9760 C3B3 1B43 33B6 9221 AFBF 5897
Current thread:
- Solaris /usr/bin/cu Vulnerability Pablo Sor (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Casper Dik (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Solaris /usr/bin/cu Vulnerability hal King (Jan 23)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 30)
- <Possible follow-ups>
- Re: Solaris /usr/bin/cu Vulnerability Konrad Rieck (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Wietse Venema (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability optyx (Jan 30)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 31)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)