On Sat, 22 May 1999, UNYUN@ShadowPenguinSecurity wrote: > Hello. > > libc overflows when that handles LC_MESSAGES. > So, If you set the long string to LC_MESSAGES and call > /bin/sh, the core file is dumped. > This is serious problem. > > The long string that contains the exploit code is set to > LC_MESSAGES and called suid program by execl(), local user > can get the root privilege. The called suid program have > not to contain the overflow bugs. > I confirmed this bug on Solaris2.6 and Solaris7. > Solaris2.4, 2.5 does not contain this bug. Didn't work on my Solaris2.6/sparc box. It just said "Illegal instruction" when using /bin/passwd and segfaulted when using /bin/su. Oystein --- "The only way of discovering the limits of the possible is to venture a little way past them into the impossible." - Arthur C. Clarke
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:34 PDT