the joke continue

From: Izik (izik@tty64.org)
Date: 11/12/01


Message-ID: <3BEF9906.2060307@tty64.org>
Date: Mon, 12 Nov 2001 11:40:22 +0200
From: Izik <izik@tty64.org>
To: bugtraq@securityfocus.com, vuln-dev@security-focus.com
Subject: the joke continue

Hello

after looking on the vim buffer overflow, i couldn't wonder what if
other editors will be bugged as well.
to my suprise i've found 3 more programs (mcedit, ed, joe). but then
again none of them are suid. so it's harmless.

(root@izik [~])# uname -a
Linux izik 2.2.19 #93 Thu Jun 21 01:09:03 PDT 2001 i686 unknown
(root@izik [~])# cat /etc/slackware-version
8.0.0 (åtta)
(root@izik [~])#

[mcedit (part of The Midnight Commander 4.5.51)]

(root@izik [~])# ls -la /usr/bin/mcedit
lrwxrwxrwx 1 root root 2 Jul 2 17:50 /usr/bin/mcedit
-> mc*
(root@izik [~])#

i've found one segfault, buffer should be at least 4048 bytes. i
couldn't managed to debug it trough gdb
from obvsious reasons. (ncourses)

[ed (no idea what version)]

(root@izik [~])# ls -al /bin/ed
-rwxr-xr-x 1 root bin 67396 May 31 00:17 /bin/ed*
(root@izik [~])#

i've found 4 segfaults. for diff functions via diff buffers.

(segfault #1 , 4100 - 4140)
Program received signal SIGSEGV, Segmentation fault.
chunk_free (ar_ptr=0x4012acc0, p=0x805b318) at malloc.c:3083
3083 malloc.c: No such file or directory.

(segfault #2 , 4141 - 4152)
Program received signal SIGSEGV, Segmentation fault.
__libc_free (mem=0x41414141) at malloc.c:3039
3039 malloc.c: No such file or directory.

(segfault #3 , 4153 - 4175)
Program received signal SIGSEGV, Segmentation fault.
0x4008c1f6 in _IO_old_fclose (fp=0x805b320) at oldiofclose.c:55
55 oldiofclose.c: No such file or directory.

(segfault #4 , 4176 - .... )
Program received signal SIGSEGV, Segmentation fault.
0x4008c1f6 in _IO_old_fclose (fp=0x805b320) at oldiofclose.c:55
55 oldiofclose.c: No such file or directory.

[joe (v2.9.5)]

(root@izik [~])# ls -al /usr/bin/joe
-rwxr-xr-x 1 root bin 174908 Apr 9 2001 /usr/bin/joe*
(root@izik [~])#

i've pushed ctrl+c after the buffer was procssed, you can segfault on
diff. functions dep on your
action in the program.

(segfault #1 , 1024)
 
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

--

izik @ http://www.tty64.org



Relevant Pages