Re: Solaris libc exploit

From: M.C.Mar (woloszynat_private)
Date: Sun May 23 1999 - 06:43:54 PDT

Next message: GOMBAS Gabor: "Re: Solaris libc exploit"

Previous message: acpizer: "Re: Solaris libc exploit"
Maybe in reply to: UNYUN@ShadowPenguinSecurity: "Solaris libc exploit"
Next in thread: GOMBAS Gabor: "Re: Solaris libc exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 22 May 1999, UNYUN@ShadowPenguinSecurity wrote:

> Hello.
>
> libc overflows when that handles LC_MESSAGES.
> So, If you set the long string to LC_MESSAGES and call
> /bin/sh, the core file is dumped.
> This is serious problem.
>
Well...
$ setenv LC_MESSAGES `perl -e 'print "A"x1024'`
$ /bin/sh
couldn't set locale correctly
$ uname -a
SunOS XXXXXX 5.6 Generic_105181-07 sun4u sparc SUNW,Ultra-4

> The long string that contains the exploit code is set to
> LC_MESSAGES and called suid program by execl(), local user
> can get the root privilege. The called suid program have
> not to contain the overflow bugs.
> I confirmed this bug on Solaris2.6 and Solaris7.
> Solaris2.4, 2.5 does not contain this bug.
>
Do I need to call it directly by execl???

> The following program is an example to get root privilege.
> This is tested on Solaris2.6 for Sparc edition.
> This program calls "/bin/passwd", but you can also specify
> other  suid programs such as "/bin/su" or "/bin/rsh".
>

$ traceroute
Error: Aborting!
 Excessive environment variable length:
'LC_MESSAGES=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'

Seems like universal wrapper...
Any details? Did I missed something?

--
___________________________________________________________________________
M.C.Mar   An NT server can be run by an idiot, and usually is.   emsiat_private
      "If you can't make it good, make it LOOK good." - Bill Gates
   Those who do not understand Unix are condemned to reinvent it, poorly.
            - Henry Spencer, University of Toronto Unix hack

Next message: GOMBAS Gabor: "Re: Solaris libc exploit"
Previous message: acpizer: "Re: Solaris libc exploit"
Maybe in reply to: UNYUN@ShadowPenguinSecurity: "Solaris libc exploit"
Next in thread: GOMBAS Gabor: "Re: Solaris libc exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:36 PDT