We found that "at" in Solaris is vulnerable on Solaris 7 and 8 The kind of bug is discussed on Bugtraqid:1634 --< Generally a program that needs to display a message to the user will obtain the proper language specific string from the database using the original message as the search key and printing the results using the printf(3) family of functions. By building and installing a custom messages database an attacker can control the output of the message retrieval functions that get feed to the printf(3) functions. Bad coding practices and the ability to feed format strings to the later functions makes it possible for an attacker to execute arbitrary code as a privileged user (root) using almost any SUID program on the vulnerable systems. >-- When succeeding "at" command, it will return a message: "commands will be executed using: <shell>\n" User can create a specified format string to the message for gettext(), and set the NLSPATH environment variable.. That, user may get the root privilege.. The exploit will release later... -- Huang-Yu Wang hankat_private R&D Team, ISS-TW
This archive was generated by hypermail 2b30 : Tue Jun 12 2001 - 12:10:09 PDT