Re: Solaris libc exploit

From: Oystein Viggen (oysteiviat_private)
Date: Sat May 22 1999 - 08:26:47 PDT

Next message: matt: "Dirty patch for slocate v1.5"

Previous message: Olaf Kirch: "Re: NetBSD Security Advisory 1999-010"
Maybe in reply to: UNYUN@ShadowPenguinSecurity: "Solaris libc exploit"
Next in thread: acpizer: "Re: Solaris libc exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 22 May 1999, UNYUN@ShadowPenguinSecurity wrote:

> Hello.
>
> libc overflows when that handles LC_MESSAGES.
> So, If you set the long string to LC_MESSAGES and call
> /bin/sh, the core file is dumped.
> This is serious problem.
>
> The long string that contains the exploit code is set to
> LC_MESSAGES and called suid program by execl(), local user
> can get the root privilege. The called suid program have
> not to contain the overflow bugs.
> I confirmed this bug on Solaris2.6 and Solaris7.
> Solaris2.4, 2.5 does not contain this bug.

Didn't work on my Solaris2.6/sparc box.
It just said "Illegal instruction" when using /bin/passwd and segfaulted
when using /bin/su.

Oystein
---
"The only way of discovering the limits of the possible
is to venture a little way past them into the impossible."
- Arthur C. Clarke

Next message: matt: "Dirty patch for slocate v1.5"
Previous message: Olaf Kirch: "Re: NetBSD Security Advisory 1999-010"
Maybe in reply to: UNYUN@ShadowPenguinSecurity: "Solaris libc exploit"
Next in thread: acpizer: "Re: Solaris libc exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:34 PDT