On Sat, 22 May 1999, UNYUN@ShadowPenguinSecurity wrote: > Hello. > > libc overflows when that handles LC_MESSAGES. > So, If you set the long string to LC_MESSAGES and call > /bin/sh, the core file is dumped. > This is serious problem. > Well... $ setenv LC_MESSAGES `perl -e 'print "A"x1024'` $ /bin/sh couldn't set locale correctly $ uname -a SunOS XXXXXX 5.6 Generic_105181-07 sun4u sparc SUNW,Ultra-4 > The long string that contains the exploit code is set to > LC_MESSAGES and called suid program by execl(), local user > can get the root privilege. The called suid program have > not to contain the overflow bugs. > I confirmed this bug on Solaris2.6 and Solaris7. > Solaris2.4, 2.5 does not contain this bug. > Do I need to call it directly by execl??? > The following program is an example to get root privilege. > This is tested on Solaris2.6 for Sparc edition. > This program calls "/bin/passwd", but you can also specify > other suid programs such as "/bin/su" or "/bin/rsh". > $ traceroute Error: Aborting! Excessive environment variable length: 'LC_MESSAGES=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' Seems like universal wrapper... Any details? Did I missed something? -- ___________________________________________________________________________ M.C.Mar An NT server can be run by an idiot, and usually is. emsiat_private "If you can't make it good, make it LOOK good." - Bill Gates Those who do not understand Unix are condemned to reinvent it, poorly. - Henry Spencer, University of Toronto Unix hack
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:36 PDT