Vulnerability Development mailing list archives
Security bugs in nokia voyager, BO dev.
From: gregory duchemin <c3rb3r () HOTMAIL COM>
Date: Fri, 29 Sep 2000 16:13:05 GMT
Voyager works with a multipurposes cgi called html_page that make a call to html_gen with a filename as a template script. Html_gen produce the final html page returned by apache. if u test this kind of url: http://your-nokia/http://10.1.152.2/cgi-bin/html_page?TEMPLATE=arp&IH=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA u 'll get a segfault error page. if u test it with a command line, u ll reproduce the same signal. Obviously, html_gen is unable to manage properly a big amount a data in some of its parameters. IH is one of the html_page's paramaters that does the job. with telnet, try (under tcsh) #setenv QUERY_STRING "TEMPLATE=arp&IH=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" #/web/cgi-bin/html_page Content-type: text/html <br>Html_gen exited because of signal: Segmentation fault<br> nokia1[admin]# i don't exactly know the format of arguments html_page feeds to html_gen and so how to reproduce signal SIGSEG directly with html_gen. ( how can i find it with gdb ? ) i ll try a precompiled freebsd compiler to wrote some tests program on my ipso 3.2.1 help would be appreciate. Note: because u already must be administrator to access the voyager setup, security impact is relatively low considering that default configuration wasn't poorly modified. because nokia ipso isn't dedicated for a multi-user work usage and noone else root should be able to login, impact for local rooting is low too considering the same things that above. Gregory Duchemin
It's supposed to be a FreeBSD branch. It's pretty different from a regular install, from what I recall. Where's the overflow? BB gregory duchemin wrote: > > hi, > > is there someone here that exactly know from wich *bsd is nokia ipso > originated from ? > I found last day an overflow but naturally no source, no compiler, just a > gdb...has one of u successfully tried to install and use a pre-compiled > compiler on this kind of system ? > thanx for your help > Gregory > _________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > Share information about yourself, create your own public profile at > http://profiles.msn.com.
_________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com.
Current thread:
- Security bugs in nokia voyager, BO dev. gregory duchemin (Sep 29)