[16182] in bugtraq
Re: Possible vulnerability in HPUX ( Add vulnerability List )
daemon@ATHENA.MIT.EDU (???)
Thu Aug 10 16:34:02 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <002d01c00284$9a61c050$021bebcb@LocalHost>
Date: Thu, 10 Aug 2000 13:36:50 +0900
Reply-To: ??? <loveyou@hackerslab.org>
From: ??? <loveyou@HACKERSLAB.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Hi..
SYSTEM : HP-UX neptune B.11.00 A 9000/785
Memory fault vaulnerability list
---------------------------------
/usr/bin/cancel `perl -e 'print "x" x 6080'` -ua
Memory fault
/bin/lpstat `perl -e 'print "x" x 185'`
Memory fault
$ kermit -y `perl -e 'print "x" x 5085'`
[/home/loveyou] C-Kermit>q
Memory fault(coredump)
$ kermit -x `perl -e 'print "x" x 222'`
Executing /usr/share/lib/kermit/ckermit.ini for UNIX...
Good Evening.
Memory fault(coredump)
/usr/sbin/swinstall -s `perl -e 'print "x" x 5085'`
/usr/sbin/swpackage -x `perl -e 'print "x" x 5085'`
Memory fault
/usr/sbin/swcopy -s `perl -e 'print "x" x 5085'`
/usr/sbin/swask -s `perl -e 'print "x" x 5000'`
/usr/dt/bin/dtterm -tn `perl -e 'print "x" x 1019'`
/bin/rlogin `perl -e 'print "x" x 17080'` -l loveyou
:-)
by loveyou ( loveyou@hackerslab.org )
----- Original Message -----
From: "Quentin GIORGI" <qgiorgi@SANCERRE.GRENOBLE.HP.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Wednesday, August 09, 2000 4:31 PM
Subject: Possible vulnerability in HPUX
> Hello,
>
> Few days ago i read the mail [ Hackerslab bug_paper ] HP-UX bdf -t
> option buffer overflow vul. And decided to see any other possible
> vulnerability(ies) on my ststem. (HP-UX 10.20).
> After a *few* minutes ( maybe a little more :) ),trying each setuid exe
> with different options, i finally got results as for bdf:
> My basic knowledge tells me that it could be exploitable, but as i am
> not a PA RISC assembly expert, i let anyone decide.
>
> I have a quick query on the database vulnerability and can't see
> anything about this on HPUX, but...
>
> df:
> ---
> sancerre: /home/qgiorgi>ll `which df`
> -r-sr-xr-x 1 root bin 69632 Jun 10 1996 /usr/bin/df
>
> sancerre: /home/qgiorgi>df -F `perl -e "print 't'x3631"`
> df: ttt <skip> ttt : No such file or directory
> usage : df [-F FStype] [-V] [-egiklnvfb] [-t|-P] [-o specific_options]
> [special | directory ...]
> sancerre: /home/qgiorgi>df -F `perl -e "print 't'x3632"`
> Segmentation fault
>
> exrecover:
> --------
> sancerre: /home/qgiorgi>ll `which exrecover`
> -r-sr-xr-x 1 root bin 20480 May 30 1996
> /usr/lbin/exrecover
>
> sancerre: /home/qgiorgi>exrecover anythingUwant `perl -e "print
> 't'x4703"`
> File not found
> sancerre: /home/qgiorgi>exrecover anythingUwant `perl -e "print
> 't'x4704"`
> Segmentation fault
>
>
> And eventually, but it is owned by uucp i think it's less interesting.
> uusub:
> -----
> sancerre: /home/qgiorgi>ll `which uusub`
> -r-sr-xr-x 1 uucp bin 32768 May 30 1996
> /usr/lib/uucp/uusub
> sancerre: /home/qgiorgi>uusub -a `perl -e "print 't'x212"`
> sancerre: /home/qgiorgi>
> sancerre: /home/qgiorgi>uusub -a `perl -e "print 't'x213"`
> Segmentation fault
>
> I also try this onHPUX 11.00 (9911)
> uusub works with length of 225
> exrecover works with length > 2700
>
>
> I hope this could help.
>
>
> ---------------------------------------------------------------------------
>
> Quentin GIORGI
> Network Engineer
> E.I.C IDA
> ---------------------------------------------------------------------------
>
