RE: UUCP

From: Ziggy (ziggy@sanyutel.com)
Date: 11/30/01


From: "Ziggy" <ziggy@sanyutel.com>
To: "Izik" <izik@tty64.org>, <vuln-dev@security-focus.com>, <bugtraq@securityfocus.com>
Subject: RE: UUCP
Date: Fri, 30 Nov 2001 12:18:29 +0300
Message-ID: <PIEEIKGKKEFPJHGKAOAHKEEMCBAA.ziggy@sanyutel.com>

SuSE posted a UUCP bug a while back just not sure if it is the same one but
the advisory stated that anyone using UUCP should upgrade.!

-----Original Message-----
From: Izik [mailto:izik@tty64.org]
Sent: Thursday, November 29, 2001 3:13 PM
To: vuln-dev@security-focus.com; bugtraq@securityfocus.com
Subject: UUCP

Hello

i've found buffer overflow in uucp. in BSDi platform's
right now i've checked that on:

BSDI BSD/OS 4.0.1 Kernel #1: Thu Jun 10 15:24:57 PDT 1999
BSDI BSD/OS 3.0 Kernel #0: Thu Jan 30 13:02:43 MST 1997

versions that seems to be vuln are:

Version: uucp_args.c,v 2.1 1995/02/03 13:22:07 polk Exp
"BSD/OS 4.0 98/06/11"

Version: uucp_args.c,v 2.1 1995/02/03 13:22:07 polk Exp
"BSD/OS 3.0 97/01/17"

buffer overflow is based on command line argv. for ex:

/usr/bin/uucp `perl -e 'print "A" x 900'` `perl -e 'print "A" x 900'`
`perl -e 'print "A" x 356'`

the ret addr is totaly writable, and it's marked as 352 - 354.
in the thrid buffer (from left to right).

since uucp is by nature suid. and the ownership is by uucp
i don't see the real profit. what does bother me is that uucp
also got a daemon ...

Singed.
izik @ http://www.tty64.org



Relevant Pages

  • [EXPL] UUCP Family Exploit (uucp / uuparams / uuname)
    ... UUCP Command Line ... Arguments Buffer Overflow, a buffer overflow vulnerability in UUCP allows ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [UNIX] UUCP Command Line Arguments Buffer Overflow
    ... UUCP Command Line Arguments Buffer Overflow ... A buffer overflow vulnerability in UUCP has been found. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • Re: UUCP
    ... Subject: UUCP ... security fix for uuxqt parsing of command line arguments ... > buffer overflow is based on command line argv. ...
    (Vuln-Dev)
  • RE: UUCP
    ... This is really funny if true, I remember seeing this bug over a long period ... many releases of one flavor of UNIX.... ... Subject: UUCP ... buffer overflow is based on command line argv. ...
    (Vuln-Dev)
  • UUCP
    ... Subject: UUCP ... in BSDi platform's ... versions that seems to be vuln are: ... buffer overflow is based on command line argv. ...
    (Vuln-Dev)