Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can anyone verify a core dump on /sbin/mingetty

From: dr john halewood <john () frumious unidec co uk>
Date: Tue, 4 Dec 2001 11:45:41 +0000
On Monday 03 December 2001 14:46, smackenz wrote:

*nix Issue - Anyone with 'mingetty':
[m0le@mainframe m0le]$ /sbin/mingetty `perl -e 'print "A"x9000'`
Segmentation fault (core dumped)


strace'ing the program quickly reveals the problem:
chown("/dev/AA[stripped]AAA,0, 0) = -1 ENAMETOOLONG (File name too long)
--- SIGSEGV (Segmentation fault) ---

If you look at around line 180 of mingetty.c you'll find the problem
        char buf[20];
        int fd;

        /* Set up new standard input. */
        strcpy (buf, "/dev/");
        strcat (buf, tty);
        if (chown (buf, 0, 0) || chmod (buf, 0600))
                error ("%s: %s", buf, sys_errlist[errno]);

Basically a good old buffer overflow caused by insecure string handling. The 
fix is trivial.

Generating an exploit from it may be a little more tricky. I've tried it on a 
number of machines and found the segfault to occur at different points each 
time, but generally around 270 characters on ia32 and ~400 on an alpha. 

cheers
john
Previous By Date Next
Previous By Thread Next

Current thread: