Bugtraq mailing list archives
DGUX lpsched buffer overflow
From: Luciano Miguel Ferreira Rocha <strange () nsk yi org>
Date: Mon, 19 Mar 2001 22:07:07 +0000
Hi there! There's a vulnerability in DG's UNIX implementation (DGUX), version R4.20MU06 and MU02 (ia32 arch). The problem is when a very long, non-existant, printer name is passed to the program lpsched. It tries to format an error message and then the buffer overflow occurs... Data General was told about the vulnerability over almost two years ago (as the computer department of my university, Universidade do Minho, Portuga). Or at least I tried to, but didn't get an answer from any email address I tried. I didn't post this to bugtraq before because I forgot about it. Brownsing from old archives of mine I found this and decided to post it. How to exploit: - Use the attached exploit program like this: ./squash-dgux-x86 29000 /usr/lib/lp/lpsched -S EGG (if the 29000 doesn't work, try 27428 or other numbers) - Details of the shell code and the vulnerability can be found in http://strange.nsk.yi.org/squash-dgux-x86/ - Unfortunantely I have no longer access to a DGUX system, so I can't find more vulnerabilities... Fix: - chmod -s /usr/lib/lp/lpsched - switch to a better UNIX like system (sorry, dgux people) hugs Luciano Rocha
Attachment:
squash-dgux-x86.c
Description: squash-dgux-x86.c
Current thread:
- DGUX lpsched buffer overflow Luciano Miguel Ferreira Rocha (Mar 20)