HPUX Wall Buffer Overflow

Type securityvulns
Reporter Securityvulns
Modified 2003-02-08T00:00:00


Hi all, after looking to check if this had been reported before I couldn't find anything, so here's my two cents:

HPUX /usr/sbin/wall Buffer Overflow.

bash-2.04$ ls -las /usr/sbin/wall
40 -r-xr-sr-x 1 bin tty 20480 Nov 7 1997 /usr/sbin/wall

Wall on HPUX works in the following way:

echo "Something to Say" > file wall file

The problem arises when we place 9000 A's into the file to be broadcast by the wall program.

(Tested on HPUX 11.11)

perl -e 'print "A" x 9000' > /tmp/out /usr/sbin/wall /tmp/out Memory fault

(Tested on HPUX 11.00) perl -e 'print "A" x 9000' > /tmp/out /usr/sbin/wall /tmp/out bash-2.04$ /usr/sbin/wall /tmp/out Segmentation fault

Looking at the registers, we can see:

Program received signal SIGSEGV, Segmentation fault. 0x7f779c08 in strcat () from /usr/lib/libc.2 (gdb) bt 7f779c08 in strcat () from /usr/lib/libc.2

1 0x34dc in ?? ()

2 0x34dc in ?? ()

3 0x34dc in ?? ()

4 0x34dc in ?? ()

Error accessing memory address 0xffffffff: Bad address. etc.. etc

The wall binary has Set Group ID of tty, so not a huge problem, but even so - still a security risk.


uk2sec Memebers; eip, c0w uk2sec@oakey.no-ip.com