Bugtraq mailing list archives
rlogin bug and buffer overflow thoughts
From: cc317 () freenet toronto on ca (Laslo Orto)
Date: Wed, 28 Aug 1996 20:37:14 -0400
The bug exists also in FreeBSD (dont know what version exactly but i
think all of them) , BSDI 2.1 and SunOs 4.1.4 (and probably other versions).
I haven't been able to exploit it becouse (i might be wrong) :
The vulnerable function does not use return (value) , it uses exit(value)
instead , so the overflowed part of the stack with the changed address is
never accessed.
I wrote a "vulnerable" test to check it.
-----------------------------------------------------------------
#include <stdlib.h>
main()
{
char string[256];
strcpy(string,getenv("TERM"));
/* everything that comes after this call still works, like: */
printf("%s",string);
}
-----------------------------------------------------------------
This gives me a shell when the TERM is a long string with the proper
instructions.
But this one didn't gave a shell :
-----------------------------------------------------------------
#include <stdlib.h>
main()
{
char string[256];
strcpy(string,getenv("TERM));
exit(0);
}
----------------------------------------------------------------
Any comments ?
Current thread:
- [BUG] Vulnerability in PKGTOOL Sean B. Hamor (Aug 26)
- Re: [BUG] Vulnerability in PKGTOOL Paul Nash (Aug 27)
- rlogin bug and buffer overflow thoughts Laslo Orto (Aug 28)
- <Possible follow-ups>
- Re: [BUG] Vulnerability in PKGTOOL Jonathan Larmour (Aug 27)
- Re: [BUG] Vulnerability in PKGTOOL Paul Nash (Aug 27)