[20884] in bugtraq
Re: $HOME buffer overflow in SunOS 5.8 x86
daemon@ATHENA.MIT.EDU (Nicolas Dubee)
Wed Jun 6 01:24:18 2001
Message-Id: <200106060112.f561CtI32027@cannabis.dataforce.net>
To: bugtraq@securityfocus.com
Date: Wed, 6 Jun 2001 05:12:55 +0400 (MSD)
From: Nicolas Dubee <ndubee@df.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
> On Mon, Jun 04, 2001 at 06:14:30PM +0300, Georgi Guninski wrote:
> > $HOME buffer overflow in SunOS 5.8 x86
...
>Digital Unix V4.0C is vulnerable:
>
>digital> uname -a
>OSF1 digital V4.0 564.32 alpha
>digital> setenv HOME `perl -e 'print "a"x1100'`
>Received disconnect: Command terminated on signal 6.
>
>[and I am logged out of the machine]
>
rather looks like a bug in the shell itself, or in some library function used in
it. What shell are you using?
As for the Sparc mail, at least 2.6 is also affected (most surely others as
well, the program doesn't actually crash but loops in a signal handler):
yoki# uname -a
SunOS yoki 5.6 Generic_105181-06 sun4u sparc SUNW,Ultra-1
yoki# more truss.output
...
getgid() = 1 [6]
setgid(1) = 0
access("dead.letter", 0) Err#2 ENOENT
access(".", 2) = 0
stat("dead.letter", 0xEFFFD1A8) Err#2 ENOENT
brk(0x0003F120) = 0
brk(0x00041120) = 0
access("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", 0) Err#78 ENAMETOOLONG
access("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", 2) Err#78 ENAMETOOLONG
Incurred fault #5, FLTACCESS %pc = 0x00017EDC
siginfo: SIGBUS BUS_ADRALN addr=0x41414209
Received signal #10, SIGBUS [caught]
siginfo: SIGBUS BUS_ADRALN addr=0x41414209
sigaction(SIGBUS, 0xEFFFCC50, 0xEFFFCCD0) = 0
sigaction(SIGBUS, 0xEFFFCC50, 0xEFFFCCD0) = 0
write(2, " A A A A A A A A A A A A".., 9139) = 9139
write(2, " : E R R O R s i g n".., 15) = 15
write(2, " 1 0\n", 3) = 3
...
-nd
