Re: ospf_monitor (Solaris 2.5)

From: Seth Michael McGann (smmat_private)
Date: Wed Oct 21 1998 - 23:25:13 PDT

Next message: Joel Eriksson: "License Manager's lockfiles (Solaris 2.5.1)"

Previous message: Dave G.: "Re: Root compromise via zgv (fwd)"
Maybe in reply to: Joel Eriksson: "ospf_monitor (Solaris 2.5)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 22 Oct 1998, Seth Michael McGann wrote:

>
> I can confirm that the version in FreeBSD 2.2.6 is indeed vulnerable, the
> stack is smashed and we are root at the time :(.  Fortunately, it is not
> executable by anyone but root or group ospf.  I would venture that solaris
> x86 is vulnerable.  The exploit is trivial, just change the target in your
> favorite local overflow and exec.
>

I hate to reply to myself, but:

On further inspection, it appears ospf_monitor drops privileges after
opening a raw multicast socket, but before it overflows.  So basically, no
instant root, but you have an open raw socket descriptor, which could be
useful.  Ah well...

Next message: Joel Eriksson: "License Manager's lockfiles (Solaris 2.5.1)"
Previous message: Dave G.: "Re: Root compromise via zgv (fwd)"
Maybe in reply to: Joel Eriksson: "ospf_monitor (Solaris 2.5)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:20:47 PDT