Bugtraq mailing list archives
Re: dump buffer overflow
From: kris () HUB FREEBSD ORG (Kris Kennaway)
Date: Wed, 8 Mar 2000 14:41:04 -0800
On Tue, 7 Mar 2000, Lamagra Argamal wrote:
On FreeBSD dump has the same hole i describes in my previous post. Only it is exploitable :-) Dump with kerberos has __atexit and __cleanup after all the other variables on the heap. By overwriting these variables you can start your shellcode. Most of the credits should go to zen-parse who found and tested this.
This was fixed on 1999/11/30 in 4.0-CURRENT by internal security auditing and backported to 3.3-STABLE on 1999/12/13. Therefore FreeBSD 3.4 (the most recent release) is not vulnerable. On the one hand, I'm glad you checked FreeBSD for vulnerability, but on the other hand it would be kinda nice to at least check the most recent release if not the -stable branch, instead of something more than 3 months out of date. Or failing that, to at least state which version it was that you found to be vulnerable :-( ---------------------------- revision 1.9 date: 1999/11/10 18:11:16; author: imp; state: Exp; lines: +2 -2 vsprintf -> vsnprintf in msg(). ---------------------------- ---------------------------- revision 1.5.2.3 date: 1999/12/13 15:53:13; author: imp; state: Exp; lines: +2 -2 Back merge buffer overflow in static buffer ---------------------------- ----SNIP (void) vfprintf(stderr, fmt, ap); (void) fflush(stdout); (void) fflush(stderr); (void) vsnprintf(lastmsg, sizeof(lastmsg), fmt, ap); va_end(ap); ----SNIP Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <forsythe () alum mit edu>
Current thread:
- Re: dump buffer overflow Lamagra Argamal (Mar 07)
- Re: dump buffer overflow Przemyslaw Frasunek (Mar 08)
- New online publication: "Computer Vulnerabilities" Eric Knight (Mar 08)
- Re: dump buffer overflow Kris Kennaway (Mar 08)
- [TL-Security-Announce] man-1.5g-5 and earlier TLSA2000004-1 Jeremiah Johnson (Mar 08)
- Re: dump buffer overflow Warner Losh (Mar 08)