Re: UUCP

From: Iván Arce (core.lists.exploit-dev@core-sdi.com)
Date: 11/30/01


Message-ID: <01df01c179e0$3a9f05e0$2e58a8c0@ffornicario>
From: Iván Arce <core.lists.exploit-dev@core-sdi.com>
To: <vuln-dev@securityfocus.com>
Subject: Re: UUCP
Date: Fri, 30 Nov 2001 17:47:30 -0300

dunno if its the same thing, OpenBSD's changelog shows a
security fix for uuxqt parsing of command line arguments
on Sept. 11, 2001:

http://www.openbsd.org/errata29.html#uucp

---

"Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, Its nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

CORE Security Technologies Iván Arce Co-Founder and CTO PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : ivan.arce@corest.com http://www.corest.com

----- Original Message ----- From: Izik <core.lists.exploit-dev@core-sdi.com> Newsgroups: core.lists.exploit-dev To: <vuln-dev@securityfocus.com> Sent: Thursday, November 29, 2001 9:13 AM Subject: UUCP

> Hello > > i've found buffer overflow in uucp. in BSDi platform's > right now i've checked that on: > > BSDI BSD/OS 4.0.1 Kernel #1: Thu Jun 10 15:24:57 PDT 1999 > BSDI BSD/OS 3.0 Kernel #0: Thu Jan 30 13:02:43 MST 1997 > > versions that seems to be vuln are: > > Version: uucp_args.c,v 2.1 1995/02/03 13:22:07 polk Exp > "BSD/OS 4.0 98/06/11" > > Version: uucp_args.c,v 2.1 1995/02/03 13:22:07 polk Exp > "BSD/OS 3.0 97/01/17" > > buffer overflow is based on command line argv. for ex: > > /usr/bin/uucp `perl -e 'print "A" x 900'` `perl -e 'print "A" x 900'` > `perl -e 'print "A" x 356'` > > the ret addr is totaly writable, and it's marked as 352 - 354. > in the thrid buffer (from left to right). > > since uucp is by nature suid. and the ownership is by uucp > i don't see the real profit. what does bother me is that uucp > also got a daemon ... > > Singed. > izik @ http://www.tty64.org >

--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arce@corest.com>



Relevant Pages

  • Re: UUCP limitations and AX.25
    ... Until this project came along I thought of UUCP as the pre-Internet mail ... I've thought of an alternative package based around the 'uux' command. ... The master would then poll each station on a schedule. ...
    (comp.mail.uucp)
  • Re: ftp in shell scripts
    ... I don't know much about uucp, ... > either data files or execute files, which specify a command to ... > execute file, with the execute file doing something to the data ...
    (comp.unix.shell)
  • Re: ftp in shell scripts
    ... I don't know much about uucp, ... files or execute files, which specify a command to run on the remote system. ...
    (comp.unix.shell)
  • Re: uucp
    ... G.Wolfe Woodbury escreveu: ... I tried to use the gui thing and it will not show me uucp. ... - use the "usermod" command to add users to the groups ...
    (Fedora)
  • [EXPL] UUCP Family Exploit (uucp / uuparams / uuname)
    ... UUCP Command Line ... Arguments Buffer Overflow, a buffer overflow vulnerability in UUCP allows ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)