Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: HP-UX finger possible security hole
From: misar () RBG INFORMATIK TU-DARMSTADT DE (Walter Misar)
Date: Wed, 27 May 1998 08:45:22 +0200


while i was playing with the finger command, i got a coredump when
i submit

finger aaaa ( 200 random caracters )

i wonder if this is a possible security hole because the finger
command is owned by bin group.

The situation is far worse, if fingerd is run (which invokes finger).

my HP-UX is A.09.05 A 9000/73

sorry if this is an old bug i didn t had the time to check the archive
and forgive me for my broken english :)

When I first noticed this some years ago, I didn't find anything about it
in any archives. But the hole should prove hard to exploit anyway - at least
for the m68k hpux version, the overflow was in the malloc() area - it cores
after a second call to malloc(). So standard techniques won't apply, but
it should be possible to direct the write to the second malloced() area to
any memory location.

        Walter



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]