[11030] in bugtraq
Re: Solaris libc exploit
daemon@ATHENA.MIT.EDU (Brandon Hume)
Thu Jul 15 17:04:30 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <199907141916.QAA09351@Den.BOFH.Halifax.NS.Ca>
Date: Wed, 14 Jul 1999 16:16:30 -0300
Reply-To: Brandon Hume <hume@DEN.BOFH.HALIFAX.NS.CA>
From: Brandon Hume <hume@DEN.BOFH.HALIFAX.NS.CA>
X-To: BUGTRAQ@NETSPACE.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199905261120.MAA15848@otis.UK.Sun.COM> from Peter Harvey Solaris
Sustaining Engineering at "May 26, 1999 12:20: 3 pm"
> > 4118295 LC_* can be used to obtain root access from setuid programs
> This is already fixed in Solaris 7 and the following patches for
> Solaris 2.6:
> RELEASE ARCH PATCH
> 5.6 i386 105211-06
> 5.6 sparc 105210-06
OK, did I miss the later messages on this topic? I've been waiting for a
formal announcement from Sun, or a real patch, or someone to say that this
patch definitely fixes the problem, or SOMETHING...
I don't know what version of patching Peter was talking about, but right
now, I can consistently gain root on my Solaris 7 sparc box, with MU2
applied, using the LC_MESSAGES buffer overflow exploit. And I can
consistently do Bad Things to sh on a Solaris 2.6 box with 105210-19
(its a production machine, I can't actively root it).
I'm praying I missed something. Did I?
--
Brandon Hume - hume -> BOFH.Halifax.NS.Ca, http://WWW.BOFH.Halifax.NS.Ca/
-> Solaris Snob and general NOCMonkey
