TUCoPS :: Unix :: General :: dslip203.txt

Dslip 2.03's allocslip which runs setuid has a buffer overflow. flags and seeing which flags are usable to determine which ports on the machine are open or not.


[ http://www.rootshell.com/ ]

Date:         Sat, 4 Jul 1998 11:10:54 -0500
From:         CyberPsychotic <fygrave@FREENET.BISHKEK.SU>
Subject:      allocslip

I have the feeling that allocslip in dslip package  has overflow
in it, (since it's setuid it should bring a rootshell with careful
exploit).

Here's how i tested it:
pakage Dslip, version 2.03
(sunsite.unc.edu/pub/Linux/system/Network/serial/dslip203.tgz)
The package is rather old, but I found it being used on some Linux
machines around.
 gdb allocslip

GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (i586-unknown-linux), Copyright 1996 Free Software Foundation,
Inc... (no debugging symbols found)...  (gdb) run b_s `perl -e ' printf
"A" x 300'` [usual GDB mesages]
GO! sh: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: command
not found

Program received signal SIGSEGV, Segmentation fault.
 0x41414141 in ?? ()
(gdb)

info registers shows:  ebp 0x41414141 0x41414141
esi 0x40001fb0 1073749936
edi 0x80487f8 134514680
eip 0x41414141 0x41414141


obviously stack is smashed.

----------------------------------------------------------------------------

Date:         Wed, 8 Jul 1998 15:41:19 +0200
From:         "M.C.Mar" <woloszyn@IT.PL>
Subject:      Re: allocslip

I downloaded it form
sunsite.unc.edu/pub/Linux/system/network/serial/dslip203.tgz, and it does
not seem to be vulnerable:
emsi:~/hack/dslip/slip/bin> ./allocslip b_s `perl -e ' printf "A" x 300'`
GO!

Or even:
emsi:~/hack/dslip/slip/bin> ./allocslip b_s `perl -e ' printf "A" x 6000'`
GO!

It does NOT segfault (my system is Slackware 3.4 with 2.0.34 Kernel).
So it was fixed or is not vulnerable at all (I tested it on both -
precompiled and compiled myself).

--
___________________________________________________________________________
M.C.Mar   An NT server can be run by an idiot, and usually is.   emsi@it.pl
      "If you can't make it good, make it LOOK good." - Bill Gates
  Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH