On Sun, Mar 06, 2005 at 01:56:43AM +0100, Uwe Hermann wrote:
> a) if the line
> HOME=`perl -e 'print "A" x 1000;'` program
> crashes the program (which most surely hints to a buffer overflow)
> this is only exploitable if 'program' is setuid/setgid?
You can check if it's a stack-based buffer overflow by doing this in
gdb and seeing if the value of EIP is 0x41414141.
$ export HOME=`blah`
$ gdb program
(gdb) r
[crashes horribly]
(gdb) bt
(gdb) i r
(gdb) q
You might have to try lots of different sizes than 1000 to reach a state
where you control all of EIP.
> Are there any other possibilities how this could potentially be
> exploited in case 'program' is _not_ setuid/setgid?
Not that I can think of right now. The two normal attack vectors are doing
things like this to setuid/setgid programs or sending malicious stuff over
the Internet to clients or servers. Binary files with malicious data
(compressed archives, WAV files, images..) are getting more popular to
fiddle with.
> Does such a bug justify a DSA, or should I just file a bug-report?
We have found a bunch of these bugs, and we just file bugs for them.
> b) if I can crash an application with
> program --some-switch `perl -e 'print "A" x 1000;'`
> i.e. an overly long command-line switch, I can't do very much damage
> if 'program' is not setuid/setgid, right?
No, not that I can think of. It's a normal bug, but those are nice to find
and fix too as a part of Debian's QA work.
Good luck with your auditing!
// Ulf Härnhammar
Received on Sun Mar 06 2005 - 13:23:07 GMT