Vulnerability Development mailing list archives
Re: Editor Overflows / Format Issues (pico)
From: "Matthew S. Hallacy" <poptix () techmonkeys org>
Date: Thu, 15 Nov 2001 21:26:48 -0600
pico has a lot of format problems, i've cored it a few times when
using the internal search function on some source code, i was searching
for something containing a few %s's along with "'s and )'s =)
Although, it could just be a buffer overflow:
^W
[~90 chars worth of a string i want to match]
<return>
Segmentation fault (core dumped)
(gdb) bt
#0 0x08066cab in strcpy ()
#1 0xbffff88c in ?? ()
#2 0x080683a5 in strcpy ()
#3 0x08067336 in strcpy ()
#4 0x0806466f in strcpy ()
#5 0x0804a019 in strcpy ()
I see very few circumstances where this would be exploitable though, perhaps
one of those 'restricted' menu systems, or as a way to bypass the restrictions
you can put on pico for executing commands from inside it.
-poptix
On Sun, Nov 11, 2001 at 08:50:57PM -0500, elguapo wrote:
Well since the vi overflow generated some comments... same issue with pico... again not suid and probably useless but here it is... as a side note this is a format strings and buffer overflow issue.this is on openunix8$ pico `perl -e 'print "A" x 9000'` UW PICO(tm) 2.9 New Buffer Memory fault(coredump) Now I have also seen systems where this does not work... however a use of %s gets around this as shown below...this is on freebsd 4-4UW PICO(tm) 4.0 New Buffer [ Filename "AAAAAAAAAA..." too long ]pico `perl -e 'print "%x" x 900'`UW PICO(tm) 4.0 New Buffer [ Filename "00000..." too long ]pico `perl -e 'print "%s" x 40'`UW PICO(tm) 4.0 File: %s%s%s%s UW PICO(tm) 4.0 New Buffer Segmentation fault (core dumped) On some versions I have seen %x or %p make pico show [ Filename "0xbff7f..." too long ] usually however it shows 000000000 as the file name Any comments... other results... or possible uses of this issue? -KF
--
Current thread:
- Editor Overflows / Format Issues (pico) elguapo (Nov 12)
- Re: Editor Overflows / Format Issues (pico) Matthew S. Hallacy (Nov 15)