Bugtraq mailing list archives
Re: Possibly exploitable buffer overflow in Solaris 2.5.1 ps
From: geoffk () DISCUS ANU EDU AU (Geoffrey KEATING)
Date: Tue, 29 Apr 1997 18:09:22 +1000
Date: Mon, 28 Apr 1997 03:54:33 -0500 From: Joe Zbiciak <jzbiciak () MICRO TI COM>
In poking around, I discovered it's possible to bus-error /usr/bin/ps on Solaris 2.5.1. (Not certain if any patches affecting ps have been applied to the system I discovered this on.) Giving "-u" a suitably large argument produces the bus error. I've not yet managed to exploit it. Here's my analysis so far: user arg >9 chars: null termination lost, extra garbage in error msg. user arg >32 chars: ps gets completely confused about commandline and prints generic usage information. user arg >95 chars: ps starts segmentation faulting. user arg >100 chars: ps starts bus-erroring. (This is using a commandline of the form 'ps -u aaaaa....aaaa'.) It appears from this that the return address is at offset 96. Now it's just a matter of someone digging out the generic Solaris 'sploit and tuning 'er up.
Actually, the thing at offset 96 is `environ'. What's happening is that there's a routine in ps that (basically) tries to parse the parameter into comma-separated usernames, and copies the usernames into a statically-allocated buffer without checking their length. It's a bug, but not an obviously exploitable one. The reason for the bus error compared to segv is that 'a' is odd. There is an upper limit of 30 on the number of user IDs you can pass to 'ps -u'; uids after that are silently ignored :-(. -- Geoff Keating <Geoff.Keating () anu edu au>
Current thread:
- Smashing the Stack: prevention? nate (Apr 27)
- Re: Smashing the Stack: prevention? Thomas H. Ptacek (Apr 27)
- Re: Smashing the Stack: prevention? Russell Coker (Apr 28)
- Possibly exploitable buffer overflow in Solaris 2.5.1 ps Joe Zbiciak (Apr 28)
- Re: Possibly exploitable buffer overflow in Solaris 2.5.1 ps Geoffrey KEATING (Apr 29)
- Digital UNIX/Irix mesg problem Tom Leffingwell (Apr 29)
- Re: Digital UNIX/Irix mesg problem John Sheehy (Apr 29)
- Access control on W3C httpd server Peter Lord (Apr 30)
- vulnerabilities in kerberos David Sacerdote (Apr 29)
- Sun Security Bulletin #00139 Sun Security Coordination Team (Apr 29)
- SMASHING THE STACK: PREVENTION? massimo at vnet.ibm.com (Apr 28)
- Re: SMASHING THE STACK: PREVENTION? Alex Belits (Apr 28)
- Re: SMASHING THE STACK: PREVENTION? Thomas H. Ptacek (Apr 29)
- Re: Smashing the Stack: prevention? Thomas H. Ptacek (Apr 27)
- Re: Smashing the Stack: prevention? Tim Newsham (Apr 27)
- Re: Smashing the Stack: prevention? Joe Zbiciak (Apr 28)