> Re: NetBSD Security Advisory 1999-011 > Re: profil(2) bug, a simple test program > > [ profil(2) not turned off on exec, allows a wrapper to increment any > word in any program's data or stack space, modulo timing uncertainty ] Summary: Solaris _is_ vulnerable after all. So, contrary to the earlier report and directly contradicting the Solaris execve(2) man page, it appears that most or all versions of Solaris _are_ vulnerable after all. Chris Thompson of the Cambridge University Computing Service first noticed this and has notified Sun. I would have preinformed Sun had I not been under the impression that they had fixed it, although it shouldn't matter much given the high degree of difficulty in constructing an exploit. I wasn't as worried about the other BSD's, because the simple NetBSD patch that was included should work OK at any BSD site. OpenBSD has applied the NetBSD patch to their current sources, but note that all releases of all BSD kernels prior to NetBSD 1.4.1 (which is in process and expected later this week) appear to have this bug. Also, the script for the test program should cp(1) instead mv(1)... % cc profiltest.c [ optional part % su # cp a.out prog.setuid # chown (something) prog.setuid # (possibly make it setuid) # exit ] % ./a.out Test results from other Unix systems might be interesting. ross.harveyat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:58 PDT