[39839] in Cypherpunks
Re: netscape bug
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Fri Sep 22 01:39:20 1995
To: tomw@cthulhu.engr.sgi.com
Cc: cypherpunks@toad.com
In-Reply-To: Your message of "Thu, 21 Sep 1995 22:03:19 PDT."
<199509220503.WAA05140@orac.engr.sgi.com>
Reply-To: perry@piermont.com
Date: Fri, 22 Sep 1995 01:37:29 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Tom Weinstein writes:
> > Lets say, Mr. Weinstein, that you shove some code onto the stack along
> > with the return address, and the address happens to be the code.
>
> I never disputed that it could be done, I was just uncertain as to how
> easy it would be.
Its pretty obvious.
> > If you don't believe it can be done, its easy enough to demonstrate it
> > on your machines, which I believe suffer from the syslog(3) bug, which
> > your company hasn't patched so far as I know, and which afflicts the
> > Sendmail daemons you ship with your machines. See the recent 8lgm bug
> > report if you want details.
>
> Hmm, could you explain how to exercise this bug? Perhaps a sample
> program?
I can tell you in general terms -- I don't write MIPS assembler
myself. However, I will point out to you that you use an ancient
Sendmail, and that it uses syslog(3) on user produced data, and that
syslog uses a static buffer. Trick sendmail into logging something
very big, and you can do what you like. The 8lgm people wrote a demo
for Sparc as a proof of concept.
Perry
