[10635] in bugtraq
Re: Solaris libc exploit
daemon@ATHENA.MIT.EDU (Toby Chappell)
Tue May 25 16:46:04 1999
Message-Id: <199905251921.PAA20713@evoken.Gsu.EDU>
Date: Tue, 25 May 1999 15:21:20 -0400
Reply-To: Toby Chappell <sysatc@EVOKEN.GSU.EDU>
From: Toby Chappell <sysatc@EVOKEN.GSU.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Tue, 25 May 1999 09:30:53 CDT."
<Pine.GSO.3.96.990525092909.23555C-100000@is.rice.edu>
Wyman Eric Miles wrote:
# Correct me if I'm wrong, but doesn't 105210-06 or higher address this
# under 2.6? I've been unable to get the exploit to work on any patched
# system, though it works nicely on any architecture I've tried which
# doesn't have the patch.
#
i got it to work using the second version of the exploit (the one that lets
you specify offsets) on a 2.6 box with 105210-10 installed....
toby
# Wyman
#
# On Mon, 24 May 1999, Casper Dik wrote:
#
# > If you don't scare easily, you may try hacking libc with adb.
# >
# >
# > THIS IS NOT A SUN SUPPORTED SOLUTION; USE AT YOUR OWN RISK
# > YOUR SYSTEM MAY BE RENDEDERED INOPERABLE BY FOLLOWING THE INSTRUCTIONS
# > BELOW
# >
# >
# > No 100% guarantee either, it seems to work around the problem.
# >
# > This is a SPARC only solution; perhaps someone can come up with similar
# > code for IA32.
# >
# > Before we start to alter the system C library with libc make sure
# > you have SUNWsutl installed:
# >
# > $ pkginfo SUNWsutl; ls -l /usr/sbin/static
# > system SUNWsutl Static Utilities
# > total 4272
# > -r-xr-xr-x 3 root bin 213908 Mar 17 22:56 cp
# > -r-xr-xr-x 3 root bin 213908 Mar 17 22:56 ln
# > -r-xr-xr-x 3 root bin 213908 Mar 17 22:56 mv
# > -r-sr-xr-x 1 root bin 712652 Mar 17 22:58 rcp
# > -r-xr-xr-x 1 root bin 762108 Mar 17 23:00 tar
# >
# >
# > On quick examination, there appear to be two functions that overflow a
# > buffer:
# >
# > _real_setlocale
# > load_all_locales
# >
# > (You're advised to use a different working copy of libc and only replace
# > libc carefully when you've tested the resutl using LD_LIBRARY_PATH)
# >
# > adb -w /lib/libc.so.1
# >
# > _real_setlocale,100?a^i
# >
# > (lot of output)
# >
# >
# > Make sure to remove libc.so.1.old or place it outside usr/lib as the runtim
e
# > linker can accept it as LD_PRELOAD in which case you'd be back at sq 1.
# >
# >
# > Casper
# >
#
# Wyman Miles
# Systems Administrator, Rice University, Texas.
# (713) 737-5827, e-mail:wymanm@rice.edu, pager:wymanm@pager.rice.edu
--
Toby Chappell Georgia State Univ.
Systems Programmer IV Atlanta, Georgia
tchappell@gsu.edu (404) 651-2639
