Re: Irix buffer overflow in /bin/df

J.A. Gutierrez (spd@GTC1.CPS.UNIZAR.ES)
Sat, 24 May 1997 21:44:45 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Yuri Volobuev: "Irix: Pandora's box opened"
Previous message: Aleph One: "Son of OOB part II - answer? (long)"
Maybe in reply to: David Hedley: "Irix buffer overflow in /bin/df"
Next in thread: Lamont Granquist: "Re: Irix buffer overflow in /bin/df"

> The version of 'df' which comes with Irix 6.2, whilst having the buffer
> overflow problem, is not vulnerable to this exploit as it is compiled as
> a 64bit N32 object

this is true only for the IRIX64 version of Irix 6.2

>
> The temporary fix: chmod u-s /bin/df

Another fix: replace irix 6.2 mips-2 binary with the mips-3
binary from an IRIX64 box

>
> The exploit code included has been tested on the following:
>
> R3000 Indigo (Irix 5.3)
> R4400 Indy (Irix 5.3)
> R5000 O2 (Irix 6.3)
>

R4400 Challenge L (IRIX64 Irix 6.2) -> doesn't works
$ file /sbin/df
/sbin/df: ELF N32 MSB mips-3 dynamic executable MIPS - version 1)

R4600 Indy, Irix 6.2 -> works
R4400 Indigo 2, Irix 6.2 -> works

.signature intentionally left blank

Next message: Yuri Volobuev: "Irix: Pandora's box opened"
Previous message: Aleph One: "Son of OOB part II - answer? (long)"
Maybe in reply to: David Hedley: "Irix buffer overflow in /bin/df"
Next in thread: Lamont Granquist: "Re: Irix buffer overflow in /bin/df"