From owner-freebsd-security  Mon Oct 30  0:43:47 2000
Delivered-To: freebsd-security@freebsd.org
Received: from aes.thinksec.com (unknown [193.212.248.16])
	by hub.freebsd.org (Postfix) with ESMTP id D682137B479
	for <freebsd-security@freebsd.org>; Mon, 30 Oct 2000 00:43:44 -0800 (PST)
Received: by aes.thinksec.com (Postfix, from userid 2602)
	id C0DE31BF994; Mon, 30 Oct 2000 09:43:43 +0100 (CET)
X-URL: http://www.ofug.org/~des/
To: Roman Shterenzon <roman@xpert.com>
Cc: freebsd-security@freebsd.org
Subject: Re: [roman@xpert.com: Remote buffer overflow in gnomeicu 0.93]
References: <20001028020359.A61199@alchemy.oven.org>
From: Dag-Erling Smorgrav <des@thinksec.com>
Date: 30 Oct 2000 09:43:42 +0100
In-Reply-To: Roman Shterenzon's message of "Sat, 28 Oct 2000 02:03:59 +0200"
Message-ID: <xzpvgua90sh.fsf@aes.thinksec.com>
Lines: 13
User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Roman Shterenzon <roman@xpert.com> writes:
> Yesterday, running sockstat I noticed that openicu listens on TCP port 40=
00.
> I was curious so I fed it with some zeroes from /dev/zero, and, it crashed
> like a charm. I'm suspecting buffer overflow which may allow an intruder
> to receive a shell on victim's machine.

Instead of feeding it zeroes, try feeding it A's (e.g. using 'cat
/dev/zero | tr \\0 A') and see if it crashes trying to dereference
0x41414141; if it does, it's likely to be exploitable.

DES
--=20
Dag-Erling Sm=F8rgrav - des@thinksec.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message