Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

pine overflow

From: Andrei Tudorache <aramis () easynet ro>
Date: 21 Feb 2002 07:56:42 -0000


======================================
====
=  Pine Overflow Tested in RedHat 7.0 and others   =
=----------------------------------------=
=  Author:  Andrei Tudorache             =
=----------------------------------------=
=  Email:   aramis () easynet ro            =
=----------------------------------------=
======================================
====


I've found a problem in pine, which is located 
in "/usr/bin/pine". 
Here are some tests I've made in << PINE 4.21 >>.

Take a look at my test:


[root@softly /root]# pine  -attach `perl -e 'print "A" x 
20429'`
Segmentation fault (core dumped)
[root@softly /root]#
gdb output:
==========

Core was generated by `pine -attach 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation 
fault.
Reading symbols from /usr/lib/libncurses.so.5...(no 
debugging symbols found)...done.
Loaded symbols for /usr/lib/libncurses.so.5
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols 
from /usr/kerberos/lib/libgssapi_krb5.so.2...done.
Loaded symbols 
for /usr/kerberos/lib/libgssapi_krb5.so.2
Reading symbols 
from /usr/kerberos/lib/libkrb5.so.3...done.
Loaded symbols for /usr/kerberos/lib/libkrb5.so.3
Reading symbols 
from /usr/kerberos/lib/libk5crypto.so.3...done.
Loaded symbols for /usr/kerberos/lib/libk5crypto.so.3
Reading symbols 
from /usr/kerberos/lib/libcom_err.so.3...done.
Loaded symbols for /usr/kerberos/lib/libcom_err.so.3
Reading symbols from /usr/lib/libssl.so.0...done.
Loaded symbols for /usr/lib/libssl.so.0
Reading symbols from /usr/lib/libcrypto.so.0...done.
Loaded symbols for /usr/lib/libcrypto.so.0
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_nisplus.so.2...done.
Loaded symbols for /lib/libnss_nisplus.so.2
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libnss_nis.so.2...done.
Loaded symbols for /lib/libnss_nis.so.2
#0  0x812a375 in strcpy () 
at ../sysdeps/generic/strcpy.c:31
31      ../sysdeps/generic/strcpy.c: No such file or 
directory.

then take a look at the registers:
====================================
(gdb) info all-registers
eax            0x0      0
ecx            0x0      0
edx            0xbfff6054       -1073782700
ebx            0x0      0
esp            0xbfff6184       0xbfff6184
ebp            0xbfff618c       0xbfff618c
esi            0x0      0
edi            0x0      0
eip            0x812a375        0x812a375
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x2b     43
gs             0x2b     43
st0            0        (raw 0x00000000000000000000)
st1            0        (raw 0x00000000000000000000)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            0        (raw 0x00000000000000000000)
st7            0        (raw 0x00000000000000000000)
fctrl          0x0      0
fstat          0x0      0
ftag           0x0      0
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
(gdb)
I did't waste my time writing an exploit because this:
[root@softly /root]# ls -al `which pine`
-rwxr-xr-x    1 root     root      2680348 Aug 24  
2000 /usr/bin/pine
[root@softly /root]#

--==Aramis==--
Previous By Date Next
Previous By Thread Next

Current thread: