[3124] in bugtraq
Possible bufferoverflow condition in lpr, xterm and xload
daemon@ATHENA.MIT.EDU (bloodmask)
Tue Aug 13 02:36:24 1996
Date: Tue, 13 Aug 1996 07:27:56 +0200
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: bloodmask <bloodmask@mymail.com>
X-To: bugtraq@crimelab.com
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
Greetings,
Quite surprised by mount's lack of boundry checking (After all, it's
been with linux for years) I woke up and started running a simple check
up on all the other suid binaries on popular Linux distributions.
Anyway, Linux users, be very very afraid, it seems mount isn't alone.
Not by a long shot. It seems other binaries on linux and probably on
most unix platforms fail to preform this type of simple checkup on the
size of command line argument / enviorment variables as in relation to
internal buffer size. The check i ran was simple, I coded a command line
buffer overflow scanner, which simply attempted to overwrite the stack
of all the suid binaries on my system. Suspicious and probably
exploitable behavior was a segment of the binary apon execution, with
scanner's command line supplied. My midterm results:
suspicious behavior in lpr [hoho, this is a quite common suid root
binary, in many commercail and non-commercail versions of unix], lpr
exhibited the same behavior as mount, by segmenting when supplied with
an argument above 1024 bytes.
xterm, xload, both segmented when supplied with -display commandline
argument / enviroment variable above it's buffer size. Probably
exploitable, although i haven't gotten around to veryfing this myself,
I'd like to here comments concerning this suspicioun of mine.
Err... love to here any comments...
C'ya folks
