[6549] in bugtraq
Re: Nasty security hole in "lprm"
daemon@ATHENA.MIT.EDU (Gian Uberto Lauri)
Mon Apr 20 15:32:36 1998
Date: Mon, 20 Apr 1998 11:23:11 +0200
Reply-To: saint@dei.unipd.it
From: Gian Uberto Lauri <saint@DEI.UNIPD.IT>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: message from Chris Evans on Sat, 18 Apr 1998 15:42:11 +0100
>>>>> "CE" == Chris Evans <chris@FERRET.LMH.OX.AC.UK> writes:
CE> If trying to remove entries from a remote queue, the args given
CE> are basically strcat()'ed into a static buffer.
CE> Thus:
CE> lprm -Psome_remote `perl -e 'print "a" x 2000'` Segmentation fault
CE> gdb confirms the program is attempting to execute code at
CE> 0x41414141
Confirmed. Solaris 2.6 has the same problem.
/usr/ucb/lprm is a symlink to /usr/bin/cancel that is setyid root
/*
* Please note : comandi is a file containing the command to start
* cancel with the 2000 'a' passed as parameter.
*/
{betty} 11:09:44
[15]/tmp:adb -P"Pollo:" -I /tmp ./cancel
Pollo:$<comandi
Pollo:SIGSEGV: Segmentation Fault (address not mapped to object)
stopped at:
0xef6fe9b8: ldsb [%o1], %o5
Pollo:$r
g0 0x0 l0 0xeffff79c
g1 0xef7459f4 l1 0x63940
g2 0x3f57d l2 0xef6fe93c
g3 0x3e17c l3 0x0
g4 0x3e164 l4 0x80
g5 0x0 l5 0x80
g6 0x0 l6 0x7
g7 0x0 l7 0xfc09ab80
o0 0xef74fbec i0 0xef74fbec
o1 0x61616161 i1 0x370ec
o2 0x0 i2 0xef76227c
o3 0x0 i3 0x0
o4 0xef76227c i4 0xeffff79c
o5 0xef6fe954 i5 0xef7fd8b4 _end+0x878
sp 0xefffe378 fp 0xefffe3d8
o7 0xef6fe980 i7 0xef6dba68
y 0x0
psr 0x4001084
pc 0xef6fe9b8 0xef6fe9b8: ldsb [%o1], %o5
npc 0xef6fe9bc 0xef6fe9bc: ldsb [%o0], %g1
Solaris 2.5.5.1 has not the problem.
Gian Uberto Lauri
saint@dei.unipd.it
