[8269] in bugtraq
bof in sdtcm_convert (Solaris 2.5)
daemon@ATHENA.MIT.EDU (Joel Eriksson)
Fri Oct 23 19:38:09 1998
Date: Fri, 23 Oct 1998 19:16:26 +0200
Reply-To: Joel Eriksson <na98jen@STUDENT.HIG.SE>
From: Joel Eriksson <na98jen@STUDENT.HIG.SE>
To: BUGTRAQ@NETSPACE.ORG
/usr/dt/bin/sdtcm_convert seems to have a buffer-overflow.
Cut'n paste the text below to test for it:
---
cd /tmp
cp /usr/dt/bin/sdtcm_convert test
truss -o blaha ./test -d /tmp `perl -e 'print "A"x10265'`
tail -5 blaha
---
This is what I get:
---
Incurred fault #6, FLTBOUNDS %pc = 0xEF4E2EA0
siginfo: SIGSEGV SEGV_MAPERR addr=0x41004EFC
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=0x41004EFC
*** process killed *** ^^------- ASCII-code for 'A'
---
If I use print "A"x10268 all of the address is 0x41's.
No setuid() in the truss-output, so it does not drop root-privs either..
If I have totally misunderstood something here please let me know, and if
someone manages to write an exploit for it please send it to me. :-)
I 've tried myself but it's not going too well .. :-P
/Joel Eriksson
