Re: Irix buffer overflow in /bin/df

Lamont Granquist (lamontg@HITL.WASHINGTON.EDU)
Wed, 28 May 1997 07:32:00 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Piotr Piatkowski: "Re: AIX 4.2 lquerylv"
Previous message: Anthony C. Zboralski: "Re: xterm exploit as promised..."
Maybe in reply to: David Hedley: "Irix buffer overflow in /bin/df"

On Sat, 24 May 1997, David Hedley wrote:
> The version of 'df' which comes with Irix 6.2, whilst having the buffer
> overflow problem, is not vulnerable to this exploit as it is compiled as
> a 64bit N32 object and it is virtually impossible to exploit buffer
> overflows in such programs.

Tests on an R4400 (Indigo) and an R4600 running 6.2 both were exploitable,
although another R4400 (Onyx) running 6.2 was not exploitable. Your
mileage may vary.

As David mentioned,

% file /bin/df
/bin/df: ELF 32-bit MSB mips-2 dynamic executable MIPS - version 1

is exploitable, while,

% file /bin/df
/bin/df: ELF N32 MSB mips-3 dynamic executable MIPS - version 1

is not.

--
Lamont Granquist <lamontg@hitl.washington.edu> (206)616-1469 fax:(206)543-5380
Human Interface Technology Lab.  University of Washington.  Seattle, WA
PGP pubkey: finger lamontg@near.hitl.washington.edu

Next message: Piotr Piatkowski: "Re: AIX 4.2 lquerylv"
Previous message: Anthony C. Zboralski: "Re: xterm exploit as promised..."
Maybe in reply to: David Hedley: "Irix buffer overflow in /bin/df"