Re: ospf_monitor (Solaris 2.5)

From: Seth Michael McGann (smmat_private)
Date: Wed Oct 21 1998 - 21:55:48 PDT

Next message: Robert Thomas: "Re: solaris tape dev permission stupidity"

Previous message: Susan Carney: "CDE for Linux"
Maybe in reply to: Joel Eriksson: "ospf_monitor (Solaris 2.5)"
Next in thread: Seth Michael McGann: "Re: ospf_monitor (Solaris 2.5)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I can confirm that the version in FreeBSD 2.2.6 is indeed vulnerable, the
stack is smashed and we are root at the time :(.  Fortunately, it is not
executable by anyone but root or group ospf.  I would venture that solaris
x86 is vulnerable.  The exploit is trivial, just change the target in your
favorite local overflow and exec.

On Wed, 21 Oct 1998, Joel Eriksson wrote:

> This looks suspicious:
>
> bash$ ospf_monitor `perl -e 'print "A"x1066'`
> task_get_proto: getprotobyname("ospf") failed, using proto 89
> listening on 0.0.0.0.64527
> Segmentation Fault
>
> bash$ ls -l /usr/bin/ospf_monitor
> -rwsr-xr-x   1 root     other      61892 Sep 17  1997
> /usr/bin/ospf_monitor
>
> Has anyone succeded in exploiting this? It sure looks like a
> bufferoverflow to me..
>
> /Joel Eriksson

Next message: Robert Thomas: "Re: solaris tape dev permission stupidity"
Previous message: Susan Carney: "CDE for Linux"
Maybe in reply to: Joel Eriksson: "ospf_monitor (Solaris 2.5)"
Next in thread: Seth Michael McGann: "Re: ospf_monitor (Solaris 2.5)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:20:44 PDT