SunOS strangeness (possible security hole?)
Andrew McRae
andrew at megadata.mega.oz.au
Thu Feb 14 11:16:31 AEST 1991
One of my collegues showed me something that warrants comment
from people who know more about the internals of SunOS (it may
be peculiar to SunOS, possibly more widespread..).
He was debugging a program which generated a non-ascii data file
via open/ftruncate system calls (ftruncate to fix the size). The
file was then mmap'ed and populated using bcopy and other memory
writes. He ran strings on the data file to look for a string, and
saw what looked like to be a totally foreign string chunk.
In fact it turned out to be a portion of a Usenet news message (as
a funny aside the message was from alt.desert-storm saying you have to
be careful what you say in case someone is listening), and
we were both at a loss knowing how this could appear in the data file.
The program goes nowhere near the news files. We reckoned
it was at the tail end of a temporary file block somewhere,
but from what I have read, I thought that every time some memory
was allocated to a program (either heap, stack, allocated file
blocks, mmap'ed areas etc) it zero filled the memory to ensure
this kind of thing didn't happen.
Does this mean I can write a program to open/mmap a file (after
I find the right sequence), and rifle through
whatever bits of files or memory come my way?
--
Andrew McRae inet: andrew at megadata.mega.oz.au
Megadata Pty Ltd, uucp: ..!uunet!megadata.mega.oz.au!andrew
North Ryde 2113 Phone: +61 2 805 0899
NSW AUSTRALIA Fax: +61 2 887 4847
More information about the Comp.unix.internals
mailing list