On Thu, 6 Jan 2000, Brock Tellier wrote: > >[Hackerslab bug_paper] Solaris chkperm buffer overflow > > > >[Hackerslab:/users/loveyou/buf]$ chkperm -n `perl -e 'print "x" x 200'` > >Segmentation fault (core dumped) > > > >it is recommended that the suid bit is > >removed from chkperm using command : > > > > chmod 400 /usr/vmsys/bin/chkperm > > Hrm, yeah, I found this one some months ago while I was checking out chkperm's > ability to read bin-owned files. After some testing I concluded that, at > least on SPARC, the function where the overflow occurs will exit() before it > is allowed to return (and then return again), meaning that a buffer overflow > exploit is probably not possible. I would be interested to see if anyone came > to a different conclusion. I also noticed this bug some time ago under similar circumstances and I concluded that it is _NOT_ exploitable under i386. - DiGiT
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:27:25 PDT