To whom this may concern: the following message was posted to
Bugtraq a few hours ago.
----- Forwarded message from "M.C.Mar" <woloszyn(_at_)IT(_dot_)PL> -----
Date: Mon, 31 Aug 1998 11:13:38 +0200
From: "M.C.Mar" <woloszyn(_at_)IT(_dot_)PL>
Subject: Re: Buffer overflows in Minicom 1.80.1
To: BUGTRAQ(_at_)NETSPACE(_dot_)ORG
On Sat, 29 Aug 1998, Eduardo Navarro wrote:
I have found some buffer overflows in Minicom 1.80.1 which comes setuid
root with Slackware 3.5. I known that were discussed some overflows in
other versions of minicom ( no setuid root) but i think it's "new" and
more dangerous.
Hi!
I found that overflows about 2 moths ago and it does not seem to be
exploitable in easy way.
Look at this:
woozle:~> gdb ./minicom
[...]
(gdb) r -t /dev/ttyp`perl -e 'print "A" x 9000'`
[...]
Program received signal SIGSEGV, Segmentation fault.
0x400ae057 in strcpy ()
(gdb) backtrace
#0 0x400ae057 in strcpy ()
#1 0xbfffd638 in ?? ()
#2 0x804981e in free ()
[...]
(gdb) x/i 0x400ae057
0x400ae057 <strcpy+19>: movb %al,(%ecx,%edx,1)
[...]
(gdb) info registers
eax 0x4806dc41 1208409153
[...]
I tryed to play with data to bypass that, but with no success :(
Same with TERM, and HOME.
Another interesting think is that procmail also contains similar bug:
woozle:~> gdb ./procmail
[...]
(gdb) r `perl -e 'print "A" x 5000'`
Starting program: /home/emsi/./procmail `perl -e 'print "A" x 5000'`
[You need to type ^D here!!!]
procmail: Couldn't create "/var/spool/mail/emsi"
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x4008a107 in malloc ()
Interesting, isn't it? But look at this:
(gdb) r `perl -e 'print "A" x 7000'`
[...]
Starting program: /home/emsi/./procmail `perl -e 'print "A" x 7000'`
procmail: Couldn't create "/var/spool/mail/emsi"
Program received signal SIGSEGV, Segmentation fault.
0x4007dfa3 in strncmp ()
But this time, there is something more interesting:
(gdb) x/i 0x4007dfa3
0x4007dfa3 <strncmp+19>: lodsb %ds:(%esi),%al
(gdb) info registers
eax 0x41414141 1094795585
esi 0x41414141 1094795585
ds 0x2b 43
Also malloc looks interesting. As in case of minicom it seems imposible
to me to exploit it, in case of procmail it is much interesting and I
would like to discuss posibility of exploiting it.
Oh, I almost forgot:
woozle:~> ./procmail -v
procmail v3.10 1994/10/31 written and created by Stephen R. van den Berg
berg(_at_)pool(_dot_)informatik(_dot_)rwth-aachen(_dot_)de
All has been tested on slackware 3.5.
RegardZ,
Kil3r
--
___________________________________________________________________________
M.C.Mar An NT server can be run by an idiot, and usually is.
emsi(_at_)it(_dot_)pl
"If you can't make it good, make it LOOK good." - Bill Gates
Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.
----- End forwarded message -----
Regards,
Liviu
--
Dr. Liviu Daia e-mail: daia(_at_)stoilow(_dot_)imar(_dot_)ro
Institute of Mathematics web page: http://www.imar.ro/~daia
of the Romanian Academy PGP key: finger
daia(_at_)stoilow(_dot_)imar(_dot_)ro