Vulnerability Development mailing list archives
Re: Can anyone verify a core dump on /sbin/mingetty
From: dr john halewood <john () frumious unidec co uk>
Date: Tue, 4 Dec 2001 11:45:41 +0000
On Monday 03 December 2001 14:46, smackenz wrote:
*nix Issue - Anyone with 'mingetty': [m0le@mainframe m0le]$ /sbin/mingetty `perl -e 'print "A"x9000'` Segmentation fault (core dumped)
strace'ing the program quickly reveals the problem: chown("/dev/AA[stripped]AAA,0, 0) = -1 ENAMETOOLONG (File name too long) --- SIGSEGV (Segmentation fault) --- If you look at around line 180 of mingetty.c you'll find the problem char buf[20]; int fd; /* Set up new standard input. */ strcpy (buf, "/dev/"); strcat (buf, tty); if (chown (buf, 0, 0) || chmod (buf, 0600)) error ("%s: %s", buf, sys_errlist[errno]); Basically a good old buffer overflow caused by insecure string handling. The fix is trivial. Generating an exploit from it may be a little more tricky. I've tried it on a number of machines and found the segfault to occur at different points each time, but generally around 270 characters on ia32 and ~400 on an alpha. cheers john
Current thread:
- Re: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping core, (continued)
- Re: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping core Scott Mackenzie (Dec 03)
- Re: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping core Bill Weiss (Dec 03)
- Re: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping - AGETTY too KF (Dec 03)
- Re: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping core Jeffrey Denton (Dec 03)
- Re: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping core Matias Sedalo (Dec 04)
- Re: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping core Przemyslaw Frasunek (Dec 03)
- Re: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping core Bill Weiss (Dec 03)
- Re: Can anyone verify a core dump on /sbin/mingetty jon schatz (Dec 03)
- Message not available
- Re: Can anyone verify a core dump on /sbin/mingetty jon schatz (Dec 03)
- Message not available
- Re: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping core Scott Mackenzie (Dec 03)
- Re: Can anyone verify a core dump on /sbin/mingetty David Klann (Dec 03)
- RE: Can anyone verify a core dump on /sbin/mingetty Darian Lanx (Dec 03)
- Re: Can anyone verify a core dump on /sbin/mingetty dr john halewood (Dec 04)
- Re: Can anyone verify a core dump on /sbin/mingetty dvdman dvdman (Dec 03)
- Re: Can anyone verify a core dump on /sbin/mingetty Derry Hamilton (Dec 04)