[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: netscape bug

To: [email protected]
Subject: Re: netscape bug
From: "Perry E. Metzger" <[email protected]>
Date: Fri, 22 Sep 1995 01:37:29 -0400
Cc: [email protected]
In-Reply-To: Your message of "Thu, 21 Sep 1995 22:03:19 PDT." <[email protected]>
Reply-To: [email protected]
Sender: [email protected]

Tom Weinstein writes:
> > Lets say, Mr. Weinstein, that you shove some code onto the stack along
> > with the return address, and the address happens to be the code.
> 
> I never disputed that it could be done, I was just uncertain as to how
> easy it would be.

Its pretty obvious.

> > If you don't believe it can be done, its easy enough to demonstrate it
> > on your machines, which I believe suffer from the syslog(3) bug, which
> > your company hasn't patched so far as I know, and which afflicts the
> > Sendmail daemons you ship with your machines. See the recent 8lgm bug
> > report if you want details.
> 
> Hmm, could you explain how to exercise this bug?  Perhaps a sample
> program?

I can tell you in general terms -- I don't write MIPS assembler
myself. However, I will point out to you that you use an ancient
Sendmail, and that it uses syslog(3) on user produced data, and that
syslog uses a static buffer. Trick sendmail into logging something
very big, and you can do what you like. The 8lgm people wrote a demo
for Sparc as a proof of concept.

Perry

References:
- Re: netscape bug
  - From: [email protected] (Tom Weinstein)

Prev by Date: Re: netscape bug
Next by Date: Re: Fraud Fraut Froth
Prev by thread: Re: netscape bug
Next by thread: Re: netscape bug
Index(es):
- Date
- Thread