Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat

• Previous message: Jonathan A. Zdziarski: "Responses to: Unix Security Kernel Changes"
• Maybe in reply to: plasmoid deep/thc/clb: "Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>On Aug/25/98 Sun released the following patches for lp:
>
> Solaris2.6 Sparc: 106235-02
> Solaris2.6 x86:   106236
>
>It is quite sad, that they did not fix another overflow in
>/usr/bin/lpstat. I testified this bug on either Solaris 2.7 x86
>and 2.6 Sparc, I assume that it is also present on Solaris 2.6
>x86 and 2.7 Sparc.
>
>Solaris 2.7 x86
>% plasmoid@gorkie:foo> lpstat -c `perl -e 'print "A" x 998'`
>% UX:lpstat: ERROR: Class
>                    [...]
>%                   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does
>%                   not exist.
>%           TO FIX: Use the "lpstat -c all" command to list
>%                   all known classes.
>% Segmentation Fault
>% plasmoid@gorkie:foo>


Hm, but if you look at it with truss another picture appears:

It appears that the program that is core dumps is /usr/lib/lp/local/lpstat.
That program is not set-uid.  The intervening shell (hm, someone using
system again???) resets the uid.

9125:   execve("/usr/bin/lpstat", 0xFFBEF3DC, 0xFFBEF3EC)  argc = 3
9125:       *** SUID: ruid/euid/suid = 21782 / 0 / 0  ***
9125:       *** SGID: rgid/egid/sgid = 320 / 320 / 320  ***
9125:    argv: lpstat -c
9125:     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
9126:   execve("/bin/sh", 0xFFBEEB98, 0xFFBEF404)  argc = 3
9126:    argv: sh -c
9126:     /usr/lib/lp/local/lpstat -c xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
9126:   setuid(21782)                                   = 0
9128:   execve("/usr/lib/lp/local/lpstat", 0x0003A654, 0x0003A664)  argc = 3
9128:       *** SUID: ruid/euid/suid = 21782 / 21782 / 21782  ***
9128:    argv: /usr/lib/lp/local/lpstat -c
9128:     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
UX:lpstat: ERROR: Class
                  "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" does
                  not exist.
          TO FIX: Use the "lpstat -c all" command to list
                  all known classes.
9128:       Incurred fault #6, FLTBOUNDS  %pc = 0xFF2B679C
9128:         siginfo: SIGSEGV SEGV_MAPERR addr=0x78787878
9128:       Received signal #11, SIGSEGV [default]
9128:         siginfo: SIGSEGV SEGV_MAPERR addr=0x78787878
9128:           *** process killed ***

• Next message: Michael Howard: "Re: Software Inertia"
• Previous message: Jonathan A. Zdziarski: "Responses to: Unix Security Kernel Changes"
• Maybe in reply to: plasmoid deep/thc/clb: "Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:31:51 PDT