> Christian Wettergren <cwe @
> >I've also seen that there are a fixed-size buffer in the routine
> >logerror(), which can be overrun. The contents can be controlled
> >from outside in at least one instance.
> > I'm _not_
> >saying this are holes, just that it looks suspicious. (I wouldn't
> >be able to exploit them myself, I guess!)
> Perhaps not, but if memory serves, Robert Morris Jr. used the same
> basic flaw in the Unix finger daemon as compiled for some variety of
> Sun to introduce his own machine code into the running process.
The flaw I believe was using gets() routine which doesnt check to see if it
has overwritten any buffers. Therefore RTM was able to over write the stack
and execute his own commands.
Christopher William Klaus <cklaus @
net> <iss @
Internet Security Systems, Inc. Computer Security Consulting
2209 Summit Place Drive, Penetration Analysis of Networks
Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030