Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: dump buffer overflow
From: kris () HUB FREEBSD ORG (Kris Kennaway)
Date: Wed, 8 Mar 2000 14:41:04 -0800


On Tue, 7 Mar 2000, Lamagra Argamal wrote:

On FreeBSD dump has the same hole i describes in my previous post.
Only it is exploitable :-) Dump with kerberos has __atexit and
__cleanup after all the other variables on the heap. By overwriting
these variables you can start your shellcode.

Most of the credits should go to zen-parse who found and tested this.

This was fixed on 1999/11/30 in 4.0-CURRENT by internal security auditing
and backported to 3.3-STABLE on 1999/12/13. Therefore FreeBSD 3.4 (the
most recent release) is not vulnerable.

On the one hand, I'm glad you checked FreeBSD for vulnerability, but on
the other hand it would be kinda nice to at least check the most recent
release if not the -stable branch, instead of something more than 3 months
out of date. Or failing that, to at least state which version it was that
you found to be vulnerable :-(

----------------------------
revision 1.9
date: 1999/11/10 18:11:16;  author: imp;  state: Exp;  lines: +2 -2
vsprintf -> vsnprintf in msg().
----------------------------

----------------------------
revision 1.5.2.3
date: 1999/12/13 15:53:13;  author: imp;  state: Exp;  lines: +2 -2
Back merge buffer overflow in static buffer
----------------------------

----SNIP
        (void) vfprintf(stderr, fmt, ap);
        (void) fflush(stdout);
        (void) fflush(stderr);
        (void) vsnprintf(lastmsg, sizeof(lastmsg), fmt, ap);
        va_end(ap);
----SNIP

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe () alum mit edu>



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]