Bugtraq mailing list archives
Re: /usr/bin/doscmd on BSDI
From: imp () HARMONY VILLAGE ORG (Warner Losh)
Date: Wed, 17 Mar 1999 13:05:30 -0700
In message <Pine.LNX.3.96.990314002501.15534A-100000 () ds9 axsny net> kasper writes: : finally:~ $ /usr/bin/doscmd `perl -e 'print "A" x 1015'` : Segmentation fault : : doscmd is setuid executable as well. On FreeBSD, where doscmd wasn't built by default until quite recently, I was able to reproduce this buffer overflow. In fixing it, I found several others that were hard to find/fix and I was able to move the buffer overflow to a place later in the program :-(. It appears that much work will need to be done to rid this program of the buffer overflows from this one, simple example. I took the precaution of removing the setgid kmem bit from the installed binary until these issues can be resolved. The buffer overflows look like they could be exploitable, at least in FreeBSD's version. I have quite a few core files that show an illegal address of 0x41414141. Warner
Current thread:
- sendmail 8.9.3 patches to curb RCPT harvesters Peter W (Mar 11)
- Re: sendmail 8.9.3 patches to curb RCPT harvesters Tim Pierce (Mar 12)
- <Possible follow-ups>
- Re: sendmail 8.9.3 patches to curb RCPT harvesters Peter W (Mar 13)
- Re: sendmail 8.9.3 patches to curb RCPT harvesters Andy Church (Mar 13)
- /usr/bin/doscmd on BSDI kasper (Mar 13)
- Re: /usr/bin/doscmd on BSDI Warner Losh (Mar 17)
- Re: sendmail 8.9.3 patches to curb RCPT harvesters Aggelos P. Varvitsiotis (Mar 15)
- Lynx 2.8 overflow Mixter (Mar 15)
- ISS Security Advisory: LDAP Buffer overflow against Microsoft X-Force (Mar 16)
- Microsoft Security Bulletin (MS99-009) aleph1 () UNDERGROUND ORG (Mar 16)
- /usr/bin/doscmd on BSDI kasper (Mar 13)