Vulnerability Development mailing list archives

Re: UUCP

From: Enchanter tim <rlf () plan-9 org>
Date: Fri, 30 Nov 2001 19:53:22 +0100

On Thursday 29 November 2001 13:13, Izik wrote:

Hello

i've found buffer overflow in uucp. in BSDi platform's
right now i've checked that on:

----SNIP-----

buffer overflow is based on command line argv. for ex:

/usr/bin/uucp `perl -e 'print "A" x 900'` `perl -e 'print "A" x 900'`
`perl -e 'print "A" x 356'`


It doesnt seem to work on Slackware 8.0, though..

lucien@Rhoxy:~$  /usr/bin/uucp `perl -e 'print "A" x 90000'` `perl -e 'print "A" x 90000'` `perl -e 'print "A" x 35060'`
bash: /usr/bin/uucp: Argument list too long
Shorter strings of A ( I just added extra 0's ) just give a "filename too long"
lucien@Rhoxy:~$ uucp -v
uucp: Taylor UUCP 1.06.1, copyright (C) 1991, 92, 93, 94, 1995 Ian Lance Taylor
lucien@Rhoxy:~$ ls -al /usr/bin/uucp
-r-sr-xr-x   1 uucp     bin         82928 Jun 21  2000 /usr/bin/uucp*


since uucp is by nature suid. and the ownership is by uucp
i don't see the real profit. what does bother me is that uucp
also got a daemon ...


Well, it would confuse logging, for one thing :)
And think about situations where someone has a restricted shell ..


Singed.
izik @ http://www.tty64.org

Current thread:

UUCP Izik (Nov 29)
- RE: UUCP Ziggy (Nov 30)
- Re: UUCP Bob Howard (Nov 30)
- Re: UUCP Iván Arce (Nov 30)
- Re: UUCP Enchanter tim (Nov 30)