Bugtraq mailing list archives
sunos rlogin
From: espel () clipper ens fr (Roger Espel Llima)
Date: Wed, 4 Dec 1996 13:26:32 +0100
Can anyone make something out of this? (works on SunOS 4.1.3 and
Solaris 2.5, at least, and not on Linux or current NetBSD):
$ TERM=`perl -e 'print "x" x 1000'`
zsh: can't find termcap info for xxx[...]
$ rlogin localhost
zsh: segmentation fault rlogin localhost
a quick look at what rlogin does (with the help of a libc tracing tool)
shows that it first does a strcpy of getenv("TERM") into a fixed
position in the data segment, and then a strcat of a "/" and a string
(the speed of the terminal) on it. There are few symbols after the
position where TERM gets copied in memory (mostly just the various
diagnostic messages), and at that point in the execution there doesn't
seem to be anything much of use in the BSS (which is 8k further down in
memory).... so it doesn't look like the bug can be exploited... but
maybe someone will find a way :-).
-Roger
--
e-mail: roger.espel.llima () ens fr
WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html
Current thread:
- Re: Vulnerability in test-cgi Ed Arnold (Dec 03)
- Re: Vulnerability in test-cgi Joe Zbiciak (Dec 03)
- Re: Vulnerability in test-cgi Evgene Ilyine (Dec 17)
- vixie cron intel BSD exploit code Evgene Ilyine (Dec 17)
- sunos rlogin Roger Espel Llima (Dec 04)
- Re: Vulnerability in test-cgi Joe Zbiciak (Dec 03)