[10608] in bugtraq
Re: Solaris libc exploit
daemon@ATHENA.MIT.EDU (M.C.Mar)
Sun May 23 13:41:34 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: 8BIT
Message-Id: <Pine.GSO.4.03.9905231539490.5600-100000@dollar.it.com.pl>
Date: Sun, 23 May 1999 15:43:54 +0200
Reply-To: "M.C.Mar" <emsi@it.pl>
From: "M.C.Mar" <woloszyn@IT.PL>
X-To: "UNYUN@ShadowPenguinSecurity" <unyun@MAIL.GOO.NE.JP>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199905211145065@unyun.mail.goo.ne.jp>
On Sat, 22 May 1999, UNYUN@ShadowPenguinSecurity wrote:
> Hello.
>
> libc overflows when that handles LC_MESSAGES.
> So, If you set the long string to LC_MESSAGES and call
> /bin/sh, the core file is dumped.
> This is serious problem.
>
Well...
$ setenv LC_MESSAGES `perl -e 'print "A"x1024'`
$ /bin/sh
couldn't set locale correctly
$ uname -a
SunOS XXXXXX 5.6 Generic_105181-07 sun4u sparc SUNW,Ultra-4
> The long string that contains the exploit code is set to
> LC_MESSAGES and called suid program by execl(), local user
> can get the root privilege. The called suid program have
> not to contain the overflow bugs.
> I confirmed this bug on Solaris2.6 and Solaris7.
> Solaris2.4, 2.5 does not contain this bug.
>
Do I need to call it directly by execl???
> The following program is an example to get root privilege.
> This is tested on Solaris2.6 for Sparc edition.
> This program calls "/bin/passwd", but you can also specify
> other suid programs such as "/bin/su" or "/bin/rsh".
>
$ traceroute
Error: Aborting!
Excessive environment variable length:
'LC_MESSAGES=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
AA!
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
Seems like universal wrapper...
Any details? Did I missed something?
--
___________________________________________________________________________
M.C.Mar An NT server can be run by an idiot, and usually is. emsi@it.pl
"If you can't make it good, make it LOOK good." - Bill Gates
Those who do not understand Unix are condemned to reinvent it, poorly.
- Henry Spencer, University of Toronto Unix hack
