[12256] in bugtraq
Re: OpenLink 3.2 Advisory
daemon@ATHENA.MIT.EDU (Seth McGann)
Mon Oct 18 12:12:36 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <4.1.19991015212945.04e3aaf0@pop.wpi.edu>
Date: Fri, 15 Oct 1999 21:52:07 -0400
Reply-To: Seth McGann <smm@WPI.EDU>
From: Seth McGann <smm@WPI.EDU>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.SGI.4.05.9910151747150.644081-100000@tiger.coe.missou
ri.edu>
The NT version is vulnerable to a boundary condition as well. If memory
serves (I looked at this last april, so it may be foggy) I was able to
sucessfully modify the EIP but found no obvious way to get back to the
overflowing buffer (where my egg would be). When I left off I found some
code that would jump me back a little bit before the buffer.
Unfortunately, the data formed some invalid opcodes, so no luck. I'm sure
someone can figure it out, I'm sick having my clock off by 6 hours from
SoftIce warp :)
At 18:37 10/15/99 -0500, you wrote:
>Hmm. I wonder if I should start numbering these things now. 8)
>
>Overview:
>
>A serious security hole has been found in the web configuration utility
>that comes with OpenLink 3.2. This hole will allow remote users to
>execute arbitrary code as the user id under which the web configurator is
>run (inherited from the request broker, oplrqb). The hole is a
>run-of-the-mill buffer overflow, due to lack of parameter checking when
>strcpy() is used.
<CUT>
Seth M. McGann / smm@wpi.edu "Security is making it
http://www.wpi.edu/~smm to the bathroom in time."
KeyID: 2048/1024/E2501C80
Fingerprint 3344 DFA2 8E4A 977B 63A7 19E3 6AF7 4AE7 E250 1C80
