Re: Solaris libc exploit

From: Toby Chappell (sysatcat_private)
Date: Tue May 25 1999 - 12:21:20 PDT

Next message: Dust: "Re: Solaris libc exploit"

Previous message: Mike Oliver: "Re: NetBSD Security Advisory 1999-010"
Maybe in reply to: UNYUN@ShadowPenguinSecurity: "Solaris libc exploit"
Next in thread: Dust: "Re: Solaris libc exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Wyman Eric Miles wrote:
# Correct me if I'm wrong, but doesn't 105210-06 or higher address this
# under 2.6?  I've been unable to get the exploit to work on any patched
# system, though it works nicely on any architecture I've tried which
# doesn't have the patch.
#

 i got it to work using the second version of the exploit (the one that lets
you specify offsets) on a 2.6 box with 105210-10 installed....


toby



# Wyman
#
# On Mon, 24 May 1999, Casper Dik wrote:
#
# > If you don't scare easily, you may try hacking libc with adb.
# >
# >
# > THIS IS NOT A SUN SUPPORTED SOLUTION; USE AT YOUR OWN RISK
# > YOUR SYSTEM MAY BE RENDEDERED INOPERABLE BY FOLLOWING THE INSTRUCTIONS
# > BELOW
# >
# >
# > No 100% guarantee either, it seems to work around the problem.
# >
# > This is a SPARC only solution; perhaps someone can come up with similar
# > code for IA32.
# >
# > Before we start to alter the system C library with libc make sure
# > you have SUNWsutl installed:
# >
# > 	$ pkginfo SUNWsutl; ls -l /usr/sbin/static
# > 	system      SUNWsutl       Static Utilities
# > 	total 4272
# > 	-r-xr-xr-x   3 root     bin       213908 Mar 17 22:56 cp
# > 	-r-xr-xr-x   3 root     bin       213908 Mar 17 22:56 ln
# > 	-r-xr-xr-x   3 root     bin       213908 Mar 17 22:56 mv
# > 	-r-sr-xr-x   1 root     bin       712652 Mar 17 22:58 rcp
# > 	-r-xr-xr-x   1 root     bin       762108 Mar 17 23:00 tar
# >
# >
# > On quick examination, there appear to be two functions that overflow a
# > buffer:
# >
# > 	_real_setlocale
# > 	load_all_locales
# >
# > (You're advised to use a different working copy of libc and only replace
# > libc carefully when you've tested the resutl using LD_LIBRARY_PATH)
# >
# > adb -w /lib/libc.so.1
# >
# > _real_setlocale,100?a^i
# >
# > (lot of output)
# >
# >
# > Make sure to remove libc.so.1.old or place it outside usr/lib as the runtim
e
# > linker can accept it as LD_PRELOAD in which case you'd be back at sq 1.
# >
# >
# > Casper
# >
#
# Wyman Miles
# Systems Administrator, Rice University, Texas.
# (713) 737-5827, e-mail:wymanmat_private, pager:wymanmat_private
--
Toby Chappell                                        Georgia State Univ.
Systems Programmer IV                                   Atlanta, Georgia
tchappellat_private                                         (404) 651-2639

Next message: Dust: "Re: Solaris libc exploit"
Previous message: Mike Oliver: "Re: NetBSD Security Advisory 1999-010"
Maybe in reply to: UNYUN@ShadowPenguinSecurity: "Solaris libc exploit"
Next in thread: Dust: "Re: Solaris libc exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:47:09 PDT