[10623] in bugtraq
Re: Solaris libc exploit
daemon@ATHENA.MIT.EDU (Wyman Eric Miles)
Tue May 25 14:26:16 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.3.96.990525092909.23555C-100000@is.rice.edu>
Date: Tue, 25 May 1999 09:30:53 -0500
Reply-To: Wyman Eric Miles <wymanm@IS.RICE.EDU>
From: Wyman Eric Miles <wymanm@IS.RICE.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199905242029.WAA13675@romulus>
Correct me if I'm wrong, but doesn't 105210-06 or higher address this
under 2.6? I've been unable to get the exploit to work on any patched
system, though it works nicely on any architecture I've tried which
doesn't have the patch.
Wyman
On Mon, 24 May 1999, Casper Dik wrote:
> If you don't scare easily, you may try hacking libc with adb.
>
>
> THIS IS NOT A SUN SUPPORTED SOLUTION; USE AT YOUR OWN RISK
> YOUR SYSTEM MAY BE RENDEDERED INOPERABLE BY FOLLOWING THE INSTRUCTIONS
> BELOW
>
>
> No 100% guarantee either, it seems to work around the problem.
>
> This is a SPARC only solution; perhaps someone can come up with similar
> code for IA32.
>
> Before we start to alter the system C library with libc make sure
> you have SUNWsutl installed:
>
> $ pkginfo SUNWsutl; ls -l /usr/sbin/static
> system SUNWsutl Static Utilities
> total 4272
> -r-xr-xr-x 3 root bin 213908 Mar 17 22:56 cp
> -r-xr-xr-x 3 root bin 213908 Mar 17 22:56 ln
> -r-xr-xr-x 3 root bin 213908 Mar 17 22:56 mv
> -r-sr-xr-x 1 root bin 712652 Mar 17 22:58 rcp
> -r-xr-xr-x 1 root bin 762108 Mar 17 23:00 tar
>
>
> On quick examination, there appear to be two functions that overflow a
> buffer:
>
> _real_setlocale
> load_all_locales
>
> (You're advised to use a different working copy of libc and only replace
> libc carefully when you've tested the resutl using LD_LIBRARY_PATH)
>
> adb -w /lib/libc.so.1
>
> _real_setlocale,100?a^i
>
> (lot of output)
>
>
> Make sure to remove libc.so.1.old or place it outside usr/lib as the runtime
> linker can accept it as LD_PRELOAD in which case you'd be back at sq 1.
>
>
> Casper
>
Wyman Miles
Systems Administrator, Rice University, Texas.
(713) 737-5827, e-mail:wymanm@rice.edu, pager:wymanm@pager.rice.edu
