Bugtraq mailing list archives
Re: HP-UX finger possible security hole
From: misar () RBG INFORMATIK TU-DARMSTADT DE (Walter Misar)
Date: Wed, 27 May 1998 08:45:22 +0200
while i was playing with the finger command, i got a coredump when i submit finger aaaa ( 200 random caracters ) i wonder if this is a possible security hole because the finger command is owned by bin group.
The situation is far worse, if fingerd is run (which invokes finger).
my HP-UX is A.09.05 A 9000/73 sorry if this is an old bug i didn t had the time to check the archive and forgive me for my broken english :)
When I first noticed this some years ago, I didn't find anything about it in any archives. But the hole should prove hard to exploit anyway - at least for the m68k hpux version, the overflow was in the malloc() area - it cores after a second call to malloc(). So standard techniques won't apply, but it should be possible to direct the write to the second malloced() area to any memory location. Walter
Current thread:
- HP-UX finger possible security hole dauphin Robert (May 25)
- <Possible follow-ups>
- Re: HP-UX finger possible security hole Walter Misar (May 26)
- Re: HP-UX finger possible security hole hofmann () WPAX01 PHYSIK UNI-WUERZBURG DE (May 27)
- Re: HP-UX finger possible security hole Nicholas Rutterford (May 29)