the joke continue

From: Izik (izik@tty64.org)
Date: 11/12/01

Previous message: Thor@HammerofGod.com: "Re: Weakness in default.asp [Hackemate.com Research]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID: <3BEF9906.2060307@tty64.org>
Date: Mon, 12 Nov 2001 11:40:22 +0200
From: Izik <izik@tty64.org>
To: bugtraq@securityfocus.com, vuln-dev@security-focus.com
Subject: the joke continue

Hello

after looking on the vim buffer overflow, i couldn't wonder what if
other editors will be bugged as well.
to my suprise i've found 3 more programs (mcedit, ed, joe). but then
again none of them are suid. so it's harmless.

(root@izik [~])# uname -a
Linux izik 2.2.19 #93 Thu Jun 21 01:09:03 PDT 2001 i686 unknown
(root@izik [~])# cat /etc/slackware-version
8.0.0 (åtta)
(root@izik [~])#

[mcedit (part of The Midnight Commander 4.5.51)]

(root@izik [~])# ls -la /usr/bin/mcedit
lrwxrwxrwx 1 root root 2 Jul 2 17:50 /usr/bin/mcedit
-> mc*
(root@izik [~])#

i've found one segfault, buffer should be at least 4048 bytes. i
couldn't managed to debug it trough gdb
from obvsious reasons. (ncourses)

[ed (no idea what version)]

(root@izik [~])# ls -al /bin/ed
-rwxr-xr-x 1 root bin 67396 May 31 00:17 /bin/ed*
(root@izik [~])#

i've found 4 segfaults. for diff functions via diff buffers.

(segfault #1 , 4100 - 4140)
Program received signal SIGSEGV, Segmentation fault.
chunk_free (ar_ptr=0x4012acc0, p=0x805b318) at malloc.c:3083
3083 malloc.c: No such file or directory.

(segfault #2 , 4141 - 4152)
Program received signal SIGSEGV, Segmentation fault.
__libc_free (mem=0x41414141) at malloc.c:3039
3039 malloc.c: No such file or directory.

(segfault #3 , 4153 - 4175)
Program received signal SIGSEGV, Segmentation fault.
0x4008c1f6 in _IO_old_fclose (fp=0x805b320) at oldiofclose.c:55
55 oldiofclose.c: No such file or directory.

(segfault #4 , 4176 - .... )
Program received signal SIGSEGV, Segmentation fault.
0x4008c1f6 in _IO_old_fclose (fp=0x805b320) at oldiofclose.c:55
55 oldiofclose.c: No such file or directory.

[joe (v2.9.5)]

(root@izik [~])# ls -al /usr/bin/joe
-rwxr-xr-x 1 root bin 174908 Apr 9 2001 /usr/bin/joe*
(root@izik [~])#

i've pushed ctrl+c after the buffer was procssed, you can segfault on
diff. functions dep on your
action in the program.

(segfault #1 , 1024)

(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

izik @ http://www.tty64.org

Previous message: Thor@HammerofGod.com: "Re: Weakness in default.asp [Hackemate.com Research]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Some help with pointers......and passing them around.
... > LeTubs wrote: ... >> Program received signal SIGSEGV, Segmentation fault. ... > You are passing the address of conninfo, a local variable, to a function ...
(comp.lang.c)
scsi_id segfault with udev-009
... Program received signal SIGSEGV, Segmentation fault. ... send the line "unsubscribe linux-kernel" in ...
(Linux-Kernel)
Re: Simple Program, Lots of Issues (F90)
... Program received signal SIGSEGV, Segmentation fault. ... Copyright 2007 Free Software Foundation, ... ifort 9.1 20061101 ...
(comp.lang.fortran)
Re: [Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow
... > When zip performs recursive folder compression, ... If the path is too long, a buffer ... > overflow occurs leading to stack corruption and segmentation fault. ... it can be critical for environments where zip archives ...
(Full-Disclosure)
Re: [Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow
... > When zip performs recursive folder compression, ... If the path is too long, a buffer ... > overflow occurs leading to stack corruption and segmentation fault. ... it can be critical for environments where zip archives ...
(Bugtraq)