[10531] in bugtraq
Re: SunOS 5.6 (X86) lpset vulnerability
daemon@ATHENA.MIT.EDU (Craig Johnston)
Thu May 13 18:06:37 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.3.96.990511222919.6549A-100000@jane.lfn.org>
Date: Tue, 11 May 1999 22:39:25 -0500
Reply-To: Craig Johnston <caj@LFN.ORG>
From: Craig Johnston <caj@LFN.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199905110243.LAA10770@kosnet.net>
On Tue, 11 May 1999, kim yong-jun homepage=ce.hannam.ac.kr/~s96192 wrote:
> This is my second post to ButTraq.
> If this is old, I'm sorry.
>
>
> It's buffer overflow in "/usr/bin/lpset".
>
> View this command :
> [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1006'` loveyou
>
> [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1007'` loveyou
> Segmentation fault
On my Solaris 2.6 and 2.7 systems, unless you are already uid 0 or
are gid 14 lpset bombs before it can dump core, with "Permission
denied: not in group 14."
It dumps core as root.
So apparently this will only get one a gid 14 -> uid 0 upgrade.
I found on my Solaris systems I had already stripped the setuid bit
because we don't use the program and Sun does a truly pathetic job of
rooting the buffer overflows out of their setuid code.
With the number of units of Solaris that are sold, every setuid/setgid
binary on the system should have been audited for overflows. It's
really pathetic that we are still seeing them.
It's especially cute when Sun ships a new version with holes for which
patches were available for the previous version. (see 'ufsrestore')
