Vulnerability Development mailing list archives
Editor Overflows / Format Issues (pico)
From: elguapo <dotslash () snosoft com>
Date: Sun, 11 Nov 2001 20:50:57 -0500
Well since the vi overflow generated some comments... same issue with pico... again not suid and probably useless but here it is... as a side note this is a format strings and buffer overflow issue.
this is on openunix8
$ pico `perl -e 'print "A" x 9000'` UW PICO(tm) 2.9 New Buffer Memory fault(coredump) Now I have also seen systems where this does not work... however a use of %s gets around this as shown below...
this is on freebsd 4-4
UW PICO(tm) 4.0 New Buffer [ Filename "AAAAAAAAAA..." too long ]
pico `perl -e 'print "%x" x 900'`
UW PICO(tm) 4.0 New Buffer [ Filename "00000..." too long ]
pico `perl -e 'print "%s" x 40'`
UW PICO(tm) 4.0 File: %s%s%s%s UW PICO(tm) 4.0 New Buffer Segmentation fault (core dumped) On some versions I have seen %x or %p make pico show [ Filename "0xbff7f..." too long ] usually however it shows 000000000 as the file name Any comments... other results... or possible uses of this issue? -KF
Current thread:
- Editor Overflows / Format Issues (pico) elguapo (Nov 12)
- Re: Editor Overflows / Format Issues (pico) Matthew S. Hallacy (Nov 15)