On Tue, 11 May 1999, kim yong-jun homepage=ce.hannam.ac.kr/~s96192 wrote: > This is my second post to ButTraq. > If this is old, I'm sorry. > > > It's buffer overflow in "/usr/bin/lpset". > > View this command : > [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1006'` loveyou > > [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1007'` loveyou > Segmentation fault On my Solaris 2.6 and 2.7 systems, unless you are already uid 0 or are gid 14 lpset bombs before it can dump core, with "Permission denied: not in group 14." It dumps core as root. So apparently this will only get one a gid 14 -> uid 0 upgrade. I found on my Solaris systems I had already stripped the setuid bit because we don't use the program and Sun does a truly pathetic job of rooting the buffer overflows out of their setuid code. With the number of units of Solaris that are sold, every setuid/setgid binary on the system should have been audited for overflows. It's really pathetic that we are still seeing them. It's especially cute when Sun ships a new version with holes for which patches were available for the previous version. (see 'ufsrestore')
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:46 PDT