Bugtraq mailing list archives
rlogin bug and buffer overflow thoughts
From: cc317 () freenet toronto on ca (Laslo Orto)
Date: Wed, 28 Aug 1996 20:37:14 -0400
The bug exists also in FreeBSD (dont know what version exactly but i think all of them) , BSDI 2.1 and SunOs 4.1.4 (and probably other versions). I haven't been able to exploit it becouse (i might be wrong) : The vulnerable function does not use return (value) , it uses exit(value) instead , so the overflowed part of the stack with the changed address is never accessed. I wrote a "vulnerable" test to check it. ----------------------------------------------------------------- #include <stdlib.h> main() { char string[256]; strcpy(string,getenv("TERM")); /* everything that comes after this call still works, like: */ printf("%s",string); } ----------------------------------------------------------------- This gives me a shell when the TERM is a long string with the proper instructions. But this one didn't gave a shell : ----------------------------------------------------------------- #include <stdlib.h> main() { char string[256]; strcpy(string,getenv("TERM)); exit(0); } ---------------------------------------------------------------- Any comments ?
Current thread:
- [BUG] Vulnerability in PKGTOOL Sean B. Hamor (Aug 26)
- Re: [BUG] Vulnerability in PKGTOOL Paul Nash (Aug 27)
- rlogin bug and buffer overflow thoughts Laslo Orto (Aug 28)
- <Possible follow-ups>
- Re: [BUG] Vulnerability in PKGTOOL Jonathan Larmour (Aug 27)
- Re: [BUG] Vulnerability in PKGTOOL Paul Nash (Aug 27)