From: "Perry E. Metzger" <perry@piermont.com>
Date: Thu, 21 Sep 95 22:38:08 PDT
To: tomw@cthulhu.engr.sgi.com
Subject: Re: netscape bug
In-Reply-To: <199509220503.WAA05140@orac.engr.sgi.com>
Message-ID: <199509220537.BAA02346@frankenstein.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



Tom Weinstein writes:
> > Lets say, Mr. Weinstein, that you shove some code onto the stack along
> > with the return address, and the address happens to be the code.
> 
> I never disputed that it could be done, I was just uncertain as to how
> easy it would be.

Its pretty obvious.

> > If you don't believe it can be done, its easy enough to demonstrate it
> > on your machines, which I believe suffer from the syslog(3) bug, which
> > your company hasn't patched so far as I know, and which afflicts the
> > Sendmail daemons you ship with your machines. See the recent 8lgm bug
> > report if you want details.
> 
> Hmm, could you explain how to exercise this bug?  Perhaps a sample
> program?

I can tell you in general terms -- I don't write MIPS assembler
myself. However, I will point out to you that you use an ancient
Sendmail, and that it uses syslog(3) on user produced data, and that
syslog uses a static buffer. Trick sendmail into logging something
very big, and you can do what you like. The 8lgm people wrote a demo
for Sparc as a proof of concept.

Perry