![[LWN Logo]](/images/lwn.banner.gif)
Date: Mon, 25 May 1998 13:28:08 +0200
From: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Subject: ircii-pana (BitchX) 74p4 overflow - exploit/fix
To: BUGTRAQ@NETSPACE.ORG
-- Risk --
Hemm, after a few minutes, I'm sure BitchX buffer overflow IS exploitable.
I tried about 3000 'A' letters followed by original .plan, and got:
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
I'm assuming almost anyone is able to modify less or more generic
shellcode.
-- Fix --
"All new dgets -- no more trap doors!" - that's from newio.c :-)))
Hemm?:) Here's fix, sufficient at least in above situation.
--- newio.c.orig Tue Nov 18 04:49:28 1997
+++ newio.c Mon May 25 13:25:58 1998
@@ -296,7 +296,7 @@
{
if (((str[cnt] = ioe->buffer[ioe->read_pos++])) == '\n')
break;
- cnt++;
+ if (++cnt>=BIG_BUFFER_SIZE) ioe->read_pos=ioe->write_pos;
}
/*
_______________________________________________________________________
Michal Zalewski [lcamtuf@boss.staszic.waw.pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]