Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: UUCP
From: Enchanter tim <rlf () plan-9 org>
Date: Fri, 30 Nov 2001 19:53:22 +0100
On Thursday 29 November 2001 13:13, Izik wrote:

Hello

i've found buffer overflow in uucp. in BSDi platform's
right now i've checked that on:


----SNIP-----

buffer overflow is based on command line argv. for ex:

/usr/bin/uucp `perl -e 'print "A" x 900'` `perl -e 'print "A" x 900'`
`perl -e 'print "A" x 356'`


It doesnt seem to work on Slackware 8.0, though..

lucien () Rhoxy:~$  /usr/bin/uucp `perl -e 'print "A" x 90000'` `perl -e 'print "A" x 90000'` `perl -e 'print "A" x 
35060'`
bash: /usr/bin/uucp: Argument list too long
Shorter strings of A ( I just added extra 0's ) just give a "filename too long"
lucien () Rhoxy:~$ uucp -v
uucp: Taylor UUCP 1.06.1, copyright (C) 1991, 92, 93, 94, 1995 Ian Lance Taylor
lucien () Rhoxy:~$ ls -al /usr/bin/uucp
-r-sr-xr-x   1 uucp     bin         82928 Jun 21  2000 /usr/bin/uucp*



since uucp is by nature suid. and the ownership is by uucp
i don't see the real profit. what does bother me is that uucp
also got a daemon ...


Well, it would confuse logging, for one thing :)
And think about situations where someone has a restricted shell ..



Singed.
izik @ http://www.tty64.org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]