Re: [Full-Disclosure] ipcs on HP-UX 11.0

From: jon@terrasecurity.co.uk
Date: 03/28/03

Next message: Dawes, Rogan (ZA - Johannesburg): "RE: [Full-Disclosure] ipcs on HP-UX 11.0"

Previous message: debian-security-announce@lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 273-1] New krb4 packages fix authentication failure"
In reply to: bt@delfi.lt: "[Full-Disclosure] ipcs on HP-UX 11.0"
Next in thread: Dawes, Rogan (ZA - Johannesburg): "RE: [Full-Disclosure] ipcs on HP-UX 11.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: jon@terrasecurity.co.uk
To: bt@delfi.lt
Date: Fri, 28 Mar 2003 10:53:38 +0000

I found a vulnerability with ipcs a while back (January 2002), but on a
different platform. Details:

% uname -a
Digital UNIX V4.0F (Rev. 1229) ; OSF1 V4.0 1229 alpha
% ls -l /usr/bin/ipcs
-rws--x--x 1 root bin 32768 Jun 3 1999 /usr/bin/ipcs
% /usr/bin/ipcs -N `perl -e "print 'A' x 314"`
Segmentation fault

There was also an overflow with the -K option if I remember correctly.

I reported this problem to Compaq, the vulnerability was confirmed, and
the bug was assigned a tracking number. Since then I have not been able
to get any information from Compaq on this issue.

Can anyone confirm this on a later version?

Jon

bt@delfi.lt wrote:
> Hi!
> There is a buffer overflow in /usr/bin/ipcs on HP-UX 11.0 (other versions might be
> vulnerable too).
> $ ls -al /usr/bin/ipcs
> -r-xr-sr-x 1 bin sys 28672 Apr 23 1999 /usr/bin/ipcs
> $ /usr/bin/ipcs -C `perl -e 'print "A" x 2232'`
> Segmentation fault
> All ipcs vulnerabilities I know about are on HP Tru64.
> This system was patched with PHCO_18374 - the lastest patch for ipcs.
> I just wondering if it was known before, and if it was - maybe someone has a working proof
> of concept on this.
> bt@delfi.lt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Dawes, Rogan (ZA - Johannesburg): "RE: [Full-Disclosure] ipcs on HP-UX 11.0"

Previous message: debian-security-announce@lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 273-1] New krb4 packages fix authentication failure"
In reply to: bt@delfi.lt: "[Full-Disclosure] ipcs on HP-UX 11.0"
Next in thread: Dawes, Rogan (ZA - Johannesburg): "RE: [Full-Disclosure] ipcs on HP-UX 11.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Vulnerability in SETI@home
... SETI@home is a distributed project that ... this vulnerability is NOT exploitable in the default installation. ... Segmentation fault ... GDB is free software, covered by the GNU General Public License, and you are ...
(Vuln-Dev)
Re: Vulnerability in SETI@home
... Segmentation fault ... > SETI@home is a distributed project ... this vulnerability is NOT exploitable in the default ... > GNU gdb 5.0rh-5 Red Hat Linux 7.1 ...
(Vuln-Dev)
Re: csh/tcsh vulnerability
... > Password:(input correct password) ... > Program terminated with signal 11, Segmentation Fault. ... Well depend if you su to another user for example user narf ... It is a vulnerability. ...
(Vuln-Dev)