[10606] in bugtraq
Re: Solaris libc exploit
daemon@ATHENA.MIT.EDU (Oystein Viggen)
Sun May 23 13:41:30 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9905221721240.28732-100000@colargol.tihlde.org>
Date: Sat, 22 May 1999 17:26:47 +0200
Reply-To: Oystein Viggen <oysteivi@TIHLDE.ORG>
From: Oystein Viggen <oysteivi@TIHLDE.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199905211145065@unyun.mail.goo.ne.jp>
On Sat, 22 May 1999, UNYUN@ShadowPenguinSecurity wrote:
> Hello.
>
> libc overflows when that handles LC_MESSAGES.
> So, If you set the long string to LC_MESSAGES and call
> /bin/sh, the core file is dumped.
> This is serious problem.
>
> The long string that contains the exploit code is set to
> LC_MESSAGES and called suid program by execl(), local user
> can get the root privilege. The called suid program have
> not to contain the overflow bugs.
> I confirmed this bug on Solaris2.6 and Solaris7.
> Solaris2.4, 2.5 does not contain this bug.
Didn't work on my Solaris2.6/sparc box.
It just said "Illegal instruction" when using /bin/passwd and segfaulted
when using /bin/su.
Oystein
---
"The only way of discovering the limits of the possible
is to venture a little way past them into the impossible."
- Arthur C. Clarke
