Vulnerability Development mailing list archives
Re: UUCP
From: Enchanter tim <rlf () plan-9 org>
Date: Fri, 30 Nov 2001 19:53:22 +0100
On Thursday 29 November 2001 13:13, Izik wrote:
Hello i've found buffer overflow in uucp. in BSDi platform's right now i've checked that on:
----SNIP-----
buffer overflow is based on command line argv. for ex: /usr/bin/uucp `perl -e 'print "A" x 900'` `perl -e 'print "A" x 900'` `perl -e 'print "A" x 356'`
It doesnt seem to work on Slackware 8.0, though.. lucien@Rhoxy:~$ /usr/bin/uucp `perl -e 'print "A" x 90000'` `perl -e 'print "A" x 90000'` `perl -e 'print "A" x 35060'` bash: /usr/bin/uucp: Argument list too long Shorter strings of A ( I just added extra 0's ) just give a "filename too long" lucien@Rhoxy:~$ uucp -v uucp: Taylor UUCP 1.06.1, copyright (C) 1991, 92, 93, 94, 1995 Ian Lance Taylor lucien@Rhoxy:~$ ls -al /usr/bin/uucp -r-sr-xr-x 1 uucp bin 82928 Jun 21 2000 /usr/bin/uucp*
since uucp is by nature suid. and the ownership is by uucp i don't see the real profit. what does bother me is that uucp also got a daemon ...
Well, it would confuse logging, for one thing :) And think about situations where someone has a restricted shell ..
Singed. izik @ http://www.tty64.org