Bugtraq mailing list archives
Re: OpenLink 3.2 Advisory
From: smm () WPI EDU (Seth McGann)
Date: Fri, 15 Oct 1999 21:52:07 -0400
The NT version is vulnerable to a boundary condition as well. If memory serves (I looked at this last april, so it may be foggy) I was able to sucessfully modify the EIP but found no obvious way to get back to the overflowing buffer (where my egg would be). When I left off I found some code that would jump me back a little bit before the buffer. Unfortunately, the data formed some invalid opcodes, so no luck. I'm sure someone can figure it out, I'm sick having my clock off by 6 hours from SoftIce warp :) At 18:37 10/15/99 -0500, you wrote:
Hmm. I wonder if I should start numbering these things now. 8) Overview: A serious security hole has been found in the web configuration utility that comes with OpenLink 3.2. This hole will allow remote users to execute arbitrary code as the user id under which the web configurator is run (inherited from the request broker, oplrqb). The hole is a run-of-the-mill buffer overflow, due to lack of parameter checking when strcpy() is used.
<CUT> Seth M. McGann / smm () wpi edu "Security is making it http://www.wpi.edu/~smm to the bathroom in time." KeyID: 2048/1024/E2501C80 Fingerprint 3344 DFA2 8E4A 977B 63A7 19E3 6AF7 4AE7 E250 1C80
Current thread:
- Re: OpenLink 3.2 Advisory Seth McGann (Oct 15)