Hi, Solaris 7 on sparc 64bits crashes but you need to fill the buffer with more than 1200 bytes. The segfault occurs on a ldsb instruction, so I don't know if its feasible to exploit this bug (Haven't done enough investigation). Knowdays I'm using wrappers to prevent this kind of exploits since I can't afford to wait for Sun's patches. If you need a quick workaround using wrappers drop me a mail and I'll send you a simple wrapper. -- Filipe Almeida <filipeat_private> aka LiquidK > -----Original Message----- > From: Bugtraq List [mailto:BUGTRAQat_private] On > Behalf Of Robert Sink > Sent: segunda-feira, 16 de Abril de 2001 21:48 > To: BUGTRAQat_private > Subject: Re: Solaris ipcs vulnerability > > > I've tried: > > TZ=`/usr/local/bin/perl -e 'print "A"x1107'` > > ...on... both 64 bit Solaris 8 and Solaris 7 (we have no 32 > bit machines here) and cannot get the programs to crash. > They just happily display the A's, plus the other information > and exit normally. > > Solaris 7: SunOS xxx 5.7 Generic_106541-12 sun4u sparc > Solaris 8: SunOS xxx 5.8 Generic_108528-05 sun4u sparc > > I keep the patches on the bleeding edge, but I can find > nothing offhand in the latest patchdiag.xref that would have > altered this.
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 11:37:24 PDT