Correct me if I'm wrong, but doesn't 105210-06 or higher address this under 2.6? I've been unable to get the exploit to work on any patched system, though it works nicely on any architecture I've tried which doesn't have the patch. Wyman On Mon, 24 May 1999, Casper Dik wrote: > If you don't scare easily, you may try hacking libc with adb. > > > THIS IS NOT A SUN SUPPORTED SOLUTION; USE AT YOUR OWN RISK > YOUR SYSTEM MAY BE RENDEDERED INOPERABLE BY FOLLOWING THE INSTRUCTIONS > BELOW > > > No 100% guarantee either, it seems to work around the problem. > > This is a SPARC only solution; perhaps someone can come up with similar > code for IA32. > > Before we start to alter the system C library with libc make sure > you have SUNWsutl installed: > > $ pkginfo SUNWsutl; ls -l /usr/sbin/static > system SUNWsutl Static Utilities > total 4272 > -r-xr-xr-x 3 root bin 213908 Mar 17 22:56 cp > -r-xr-xr-x 3 root bin 213908 Mar 17 22:56 ln > -r-xr-xr-x 3 root bin 213908 Mar 17 22:56 mv > -r-sr-xr-x 1 root bin 712652 Mar 17 22:58 rcp > -r-xr-xr-x 1 root bin 762108 Mar 17 23:00 tar > > > On quick examination, there appear to be two functions that overflow a > buffer: > > _real_setlocale > load_all_locales > > (You're advised to use a different working copy of libc and only replace > libc carefully when you've tested the resutl using LD_LIBRARY_PATH) > > adb -w /lib/libc.so.1 > > _real_setlocale,100?a^i > > (lot of output) > > > Make sure to remove libc.so.1.old or place it outside usr/lib as the runtime > linker can accept it as LD_PRELOAD in which case you'd be back at sq 1. > > > Casper > Wyman Miles Systems Administrator, Rice University, Texas. (713) 737-5827, e-mail:wymanmat_private, pager:wymanmat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:44 PDT