From proff Thu Aug 29 10:22:57 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id KAA30190 for best-of-security; Thu, 29 Aug 1996 10:22:56 +1000 Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id FAA12162 for ; Thu, 29 Aug 1996 05:27:21 +1000 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <23433-9751>; Wed, 28 Aug 1996 15:24:49 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id PAA19770; Wed, 28 Aug 1996 15:11:47 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 311167 for BUGTRAQ@NETSPACE.ORG; Wed, 28 Aug 1996 14:54:40 -0400 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id OAA17145 for ; Wed, 28 Aug 1996 14:49:47 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by netspace.org (8.7/8.6.12) with SMTP id DAA27860 for ; Wed, 28 Aug 1996 03:54:36 -0400 Received: by mercury.Sun.COM (Sun.COM) id AAA02495; Wed, 28 Aug 1996 00:54:33 -0700 Received: from albano by Holland.Sun.COM (SMI-8.6/SMI-SVR4-sd.fkk200) id JAA23054; Wed, 28 Aug 1996 09:54:22 +0200 Received: from holland by albano (SMI-8.6/SMI-SVR4-se.fkk201) id JAA16228; Wed, 28 Aug 1996 09:54:20 +0200 Approved-By: Casper Dik Message-ID: <199608280754.JAA16228@albano> Date: Wed, 28 Aug 1996 09:54:25 +0200 Reply-To: Bugtraq List Sender: proff From: Casper Dik Subject: Re: Vulnerability in the Xt library To: Multiple recipients of list BUGTRAQ In-Reply-To: Your message of "Wed, 28 Aug 1996 00:05:53 MDT." <199608280605.AAA19147@remise> > Both Sun's compiler and gcc allocate the stack as follows: > > %fp - 2008 == message > %fp - 1008 == buffer > > At the call to sprintf(), 'buffer' contains something like >"Invalid color: %s\0", and 'message' is the thing we're going to overflow. > > If we overflow 'message' to overwrite the return addr, we *ALSO* overwrite >'buffer'. As a result, the formatting string for sprintf is completely >obliterated, which forces _doprnt() to segfault (as there's no termination >for its formatting string). This pretty much depends on how doprnt works (also, the vs 3 compiler from Sun has different stack allocations, depending on the optimization). After processing the %s format, sprintf will suddenly find much more format. However, if there's no % in the format, there's still a way to prevent sprintf looping for ever, it all depends on how the format is processed. If your sprintf processes it character by character and copies each character then the format will never end. However, if the format is copied chunk by chunk between each % or the terminating \0, then doprnt will finish. This is the way doprnt() works in Solaris. My "point & shoot" stack overflow exploiter works on Solaris xterm [which isnt' set-uid] with the "sub optimal" stack layout as above: % bufoverflow /usr/openwin/bin/xterm -fg %s Warning: Color name "" [with a part of the buffer repeated!!] Warning: some arguments in previous message were lost $ The $ is the shell started by the buffer spam. It's definitely possible, even with the stack layout as described by you. (Which, incidently, is the stack layout used in Solaris as shipped) Casper