Bugtraq mailing list archives
Re: [linux-security] Linux NetKit-B update.
From: aleph1 () UNDERGROUND ORG (Aleph One)
Date: Sun, 4 Aug 1996 00:12:13 -0700
From: Casper Dik <casper () holland Sun COM>
6. Buffer overflow in ping mentioned yesterday, but it's not on the stack and consequently probably not exploitable. Patch: use snprintf.Stack vs. heap is irrelevant. The V6 'login' overrun bug was in data space, rather than on the stack, and it gave a very nice way to log in as root.
It *is* relevant. Overflows on teh stack can almost always be exploited as you can put some code on teh stack and make the system return there. When you overflow the data segment you have no control over the return statement an dputting code there is no helpful. In some circumstances, however, there just happen to be intersesting variables in the datasegment after the buffer you can overflow. Both the V6 login and one of the (many) rdist bugs are examples of data layout that can be abused.
No, I don't remember the exact character string to enter ... ;-)
I'm pretty sure it was something like "password<encrypted password string>" Casper
Current thread:
- Re: [linux-security] Linux NetKit-B update. Aleph One (Aug 04)
- Re: [linux-security] Linux NetKit-B update. Leendert van Doorn (Aug 05)
- Re: login v6 ??? ALEXANDER SCHUETZ (Aug 07)