[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HP-UX finger possible security hole

To: BUGTRAQ@NETSPACE.ORG
Subject: Re: HP-UX finger possible security hole
From: Walter Misar <misar@RBG.INFORMATIK.TU-DARMSTADT.DE>
Date: Wed, 27 May 1998 08:45:22 +0200
Approved-By: aleph1@NATIONWIDE.NET
Reply-To: Walter Misar <misar@RBG.INFORMATIK.TU-DARMSTADT.DE>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>

> while i was playing with the finger command, i got a coredump when
> i submit
>
> finger aaaa ( 200 random caracters )
>
> i wonder if this is a possible security hole because the finger
> command is owned by bin group.

The situation is far worse, if fingerd is run (which invokes finger).

> my HP-UX is A.09.05 A 9000/73
>
> sorry if this is an old bug i didn t had the time to check the archive
> and forgive me for my broken english :)

When I first noticed this some years ago, I didn't find anything about it
in any archives. But the hole should prove hard to exploit anyway - at least
for the m68k hpux version, the overflow was in the malloc() area - it cores
after a second call to malloc(). So standard techniques won't apply, but
it should be possible to direct the write to the second malloced() area to
any memory location.

        Walter

Prev by Date: Problem with ascend pipeline routers.
Next by Date: Re: ircii-pana (BitchX) 74p4 overflow
Prev by thread: Re: HP-UX finger possible security hole
Next by thread: Re: HP-UX finger possible security hole
Index(es):
- Date
- Thread