[ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul.

2000-07-2800:00:00

vulners.com

JSON

================================================================================

         [ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul

================================================================================

File : /usr/bin/bdf

SYSTEM : HP-UX 11.00

       Tested by  HP-UX B.11.00

INFO :

       bdf - report number of free disk blocks &#40;Berkeley version&#41;

       -t type        Report on the file systems of a given type &#40;for
                      example, nfs or hfs&#41;.

'bdf' program has SUID permission.

$ ls -la which bdf
-r-sr-xr-x 1 root bin 24576 Apr 7 1998 /usr/bin/bdf

Using '-t' option with long character

$ bdf -t perl -e 'print "A"x2415'
bdf: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA…omited…AAAAAAAAAAAAAAAA : No such file or directory
usage: bdf [ -b ] [ -i ] [ -l ] [-t type | file… ]
$ bdf -t perl -e 'print "A"x2416'
Memory fault
$

<bash environment>
bash-2.04$ bdf -b -t perl -e 'print "A"x2416'
Segmentation fault
bash-2.04$

If bigger than 2415 characters, 'bdf' has Segment faulted.
Maybe… 'bdf' has not checked string boundary.

SOLUTION

Don't know :)

==-------------------------------------------------------------------------------==
*********

```
 ** **      *                                       [email protected]
```
- ** ** * [ http://www.hackerslab.org ]
  ********* HACKERSLAB (C) since 2000
  ==-------------------------------------------------------------------------------==

JSON