Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VIM Buffer Overflow

From: KF <dotslash () snosoft com>
Date: Fri, 15 Feb 2002 17:23:12 -0500
I found this a while back and there was a whole nonsuid overflow discussion over it... 
http://www.security-focus.com/cgi-bin/archive.pl?id=82&start=2002-02-13&end=2002-02-19&threads=1&tid=189062
-KF

Aramis Orlando wrote:



======================================
====
=  VI Overflow Tested in RedHat 7.0/7.1/7.2  =
=----------------------------------------=
=  Author:  Andrew Tofan                 =
=----------------------------------------=
=  Email:   aramis () easynet ro            =
=----------------------------------------=
======================================
====


I've found a problem in vi
, which is located in /bin/vi". Here are some tests I've made in << VIM version 5.7.8>>. 

Take a look at my test:

[root@softly /root]# vi -t "`perl -e 'printf "A"x9000'`"
[root@softly /root]# gdb vi core
gdb output:
==========
Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libtermcap.so.2...(no debugging symbols found)...done. 
Loaded symbols for /lib/libtermcap.so.2
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
#0 0x80644a7 in strcpy () at ../sysdeps/generic/strcpy.c:31 31 ../sysdeps/generic/strcpy.c: No such file or directory. 

then take a look at the registers:
====================================
(gdb) info registers
eax            0x41414141       1094795585
ecx            0x41414141       1094795585
edx            0x1      1
ebx            0x1      1
esp            0xbfffd1c4       0xbfffd1c4
ebp            0xbfffd1dc       0xbfffd1dc
esi            0x41414141       1094795585
edi            0x0      0
eip            0x80644a7        0x80644a7
eflags         0x10206  66054
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x2b     43
gs             0x2b     43
fctrl          0x0      0
fstat          0x0      0
ftag           0x0      0
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
I did't waste my time writing an exploit becouse this:
-rwxr-xr-x 1 root root 361852 Aug 7 2000 /bin/vi 

--==Aramis==--
Previous By Date Next
Previous By Thread Next

Current thread: