Bugtraq mailing list archives
[ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul.
From: Kyong-won Cho <dubhe () HACKERSLAB COM>
Date: Thu, 27 Jul 2000 22:45:01 +0900
================================================================================ [ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul ================================================================================ File : /usr/bin/bdf SYSTEM : HP-UX 11.00 Tested by HP-UX B.11.00 INFO : bdf - report number of free disk blocks (Berkeley version) -t type Report on the file systems of a given type (for example, nfs or hfs). * 'bdf' program has SUID permission. $ ls -la `which bdf` -r-sr-xr-x 1 root bin 24576 Apr 7 1998 /usr/bin/bdf * Using '-t' option with long character $ bdf -t `perl -e 'print "A"x2415'` bdf: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA..omited...AAAAAAAAAAAAAAAA : No such file or directory usage: bdf [ -b ] [ -i ] [ -l ] [-t type | file... ] $ bdf -t `perl -e 'print "A"x2416'` Memory fault $ <bash environment> bash-2.04$ bdf -b -t `perl -e 'print "A"x2416'` Segmentation fault bash-2.04$ *** If bigger than 2415 characters, 'bdf' has Segment faulted. Maybe.. 'bdf' has not checked string boundary. SOLUTION Don't know :) ==-------------------------------------------------------------------------------== ********* * ** ** * * ** ** * * ******* * * ** ** * dubhe () hackerslab org * ** ** * [ http://www.hackerslab.org ] ********* HACKERSLAB (C) since 2000 ==-------------------------------------------------------------------------------==
Current thread:
- [ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul. Kyong-won Cho (Jul 27)