Re: More Overflows...

[marc () SUSE DE (Marc Heuse)]

Hi,

> smbclient        version:  1.9.18p3    Overflow occurs after 8505 characters
> compress         version:  4.2.4       Overflow at 1100 characters
> elvis            version:  2.0         Lots of fun quirks over 1000-100000;
>                                        maybe an exploit symlinking with tmp's
> lha              version:  1.02            Overflow at  >19211

none of these applications is s[ug]id, so these overflows can not be
exploited to gain privilige.

about the symlink attack on elvis-2.0:

/* unix/osprg.c */
char id_osprg[] = "$Id: osprg.c,v 2.9 1996/05/23 00:03:51 steve Exp $";
#define TMPDIR  (o_directory ? tochar8(o_directory) : "/tmp")
static char     tempfname[100]; /* name of temp file */

                /* create a temporary file for feeding the program's stdin*/
                sprintf(tempfname, "%s/elvis%d.tmp", TMPDIR, (int)getpid());
                writefd = open(tempfname, O_WRONLY|O_CREAT|O_EXCL, 0600);
                if (writefd < 0)
                {
                        msg(MSG_ERROR, "can't make temporary file");
                        free(command);
                        return False;
                }

it's not vulnerable

> There are many more but im too tired to document them, if you have any
> questions, I can be reached at hdmoore () usa net

if some of them can really be used to gain more priviliges on the machine or
result in a denial-of-service, email them to security () suse de please

> The  major concern i have is non-priveledged users trashing system files
> with suid apps, please check ALL your suid's for overflows...Anyways,
> Thrill Kill rocked and im beat and bloody from the pit, so goodnight.

well, if you find any, drop me a note.


Greets,
        Marc
--
  Marc Heuse, S.u.S.E. GmbH, Fahrradstr. 56, D-90429 Nuernberg
  E@mail: marc () suse de   Function: Security Support & Auditing
  Use  "finger marc () suse de | pgp -fka"  for my public pgp key