[3309] in bugtraq
rlogin bug and buffer overflow thoughts
daemon@ATHENA.MIT.EDU (Laslo Orto)
Wed Aug 28 22:09:44 1996
Date: Wed, 28 Aug 1996 20:37:14 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Laslo Orto <cc317@freenet.toronto.on.ca>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <199608271357.JAA17296@plato.oneworld.net>
The bug exists also in FreeBSD (dont know what version exactly but i
think all of them) , BSDI 2.1 and SunOs 4.1.4 (and probably other versions).
I haven't been able to exploit it becouse (i might be wrong) :
The vulnerable function does not use return (value) , it uses exit(value)
instead , so the overflowed part of the stack with the changed address is
never accessed.
I wrote a "vulnerable" test to check it.
-----------------------------------------------------------------
#include <stdlib.h>
main()
{
char string[256];
strcpy(string,getenv("TERM"));
/* everything that comes after this call still works, like: */
printf("%s",string);
}
-----------------------------------------------------------------
This gives me a shell when the TERM is a long string with the proper
instructions.
But this one didn't gave a shell :
-----------------------------------------------------------------
#include <stdlib.h>
main()
{
char string[256];
strcpy(string,getenv("TERM));
exit(0);
}
----------------------------------------------------------------
Any comments ?
