Bugtraq mailing list archives

Re: $HOME buffer overflow in SunOS 5.8 x86

From: Nicolas Dubee <ndubee () df ru>
Date: Wed, 6 Jun 2001 05:12:55 +0400 (MSD)

On Mon, Jun 04, 2001 at 06:14:30PM +0300, Georgi Guninski wrote:

$HOME buffer overflow in SunOS 5.8 x86

...

Digital Unix V4.0C is vulnerable:

digital> uname -a
OSF1 digital V4.0 564.32 alpha
digital> setenv HOME `perl -e 'print "a"x1100'`
Received disconnect: Command terminated on signal 6.

[and I am logged out of the machine]


rather looks like a bug in the shell itself, or in some library function used in
it. What shell are you using?

As for the Sparc mail, at least 2.6 is also affected (most surely others as
well, the program doesn't actually crash but loops in a signal handler):

   yoki# uname -a
   SunOS yoki 5.6 Generic_105181-06 sun4u sparc SUNW,Ultra-1
   yoki# more truss.output
... 
   getgid()                                        = 1 [6]
   setgid(1)                                       = 0
   access("dead.letter", 0)                        Err#2 ENOENT
   access(".", 2)                                  = 0
   stat("dead.letter", 0xEFFFD1A8)                 Err#2 ENOENT
   brk(0x0003F120)                                 = 0
   brk(0x00041120)                                 = 0
   
access("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
 0) Err#78 ENAMETOOLONG
   
access("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
 2) Err#78 ENAMETOOLONG
       Incurred fault #5, FLTACCESS  %pc = 0x00017EDC
         siginfo: SIGBUS BUS_ADRALN addr=0x41414209
       Received signal #10, SIGBUS [caught]
         siginfo: SIGBUS BUS_ADRALN addr=0x41414209
   sigaction(SIGBUS, 0xEFFFCC50, 0xEFFFCCD0)       = 0
   sigaction(SIGBUS, 0xEFFFCC50, 0xEFFFCCD0)       = 0
   write(2, " A A A A A A A A A A A A".., 9139)    = 9139 
   write(2, " :   E R R O R   s i g n".., 15)      = 15
   write(2, " 1 0\n", 3)                           = 3
...



-nd

Current thread:

$HOME buffer overflow in SunOS 5.8 x86 Georgi Guninski (Jun 04)
- Re: $HOME buffer overflow in SunOS 5.8 x86 Juergen P. Meier (Jun 05)
  - Re: $HOME buffer overflow in SunOS 5.8 x86 Gunnar Wolf (Jun 05)
    - Re: $HOME buffer overflow in SunOS 5.8 x86 Tohru Watanabe (Jun 05)
    - Re: $HOME buffer overflow in SunOS 5.8 x86 Patrick Finch (Jun 05)
    - Re: $HOME buffer overflow in SunOS 5.8 x86 Kris Kennaway (Jun 08)
- <Possible follow-ups>
- Re: $HOME buffer overflow in SunOS 5.8 x86 SChoe (Jun 05)
- Re: $HOME buffer overflow in SunOS 5.8 x86 Nicolas Dubee (Jun 05)