Hi everybody

Though I dont know if this vulnerability has be discovered previously I

found a buffer overflow in the app uucp of SunOS 5.8 that it could be used

to get privileges of uucp.

Buffer is overflow when the app uucp is executed with the parameter -s

continued of a string bigger than 7525 bytes.

hipnosis% uucp -s `perl -e 'print "A"x7526'`

Segmentation Fault

hipnosis% uucp -s `perl -e 'print "A"x7525'`

hipnosis%

I have not been able to debug the app for see if the registers are

overwrites because i have not any debugger in my machine and i have not

too time.

My system:

hipnosis% uname -a

SunOS averroes 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250

hipnosis%

Suid:

hipnosis% ls -l /usr/bin/uucp

---s--x--x 1 uucp uucp 66940 eno 5 2000 /usr/bin/uucp

hipnosis%

Well, bye everybody

[ reply ]