[11047] in bugtraq
Re: Solaris libc exploit
daemon@ATHENA.MIT.EDU (Scott Weikart)
Fri Jul 16 21:50:10 1999
Message-Id: <199907152137.OAA18964@igc4.igc.org>
Date: Thu, 15 Jul 1999 14:37:00 -0700
Reply-To: Scott Weikart <scott@IGC.APC.ORG>
From: Scott Weikart <scott@IGC.APC.ORG>
X-To: bugtraq@netspace.org
To: BUGTRAQ@SECURITYFOCUS.COM
>> > 4118295 LC_* can be used to obtain root access from setuid programs
>> This is already fixed in Solaris 7 and the following patches for
>> Solaris 2.6:
>> RELEASE ARCH PATCH
>> 5.6 i386 105211-06
>> 5.6 sparc 105210-06
>
>OK, did I miss the later messages on this topic? I've been waiting for a
>formal announcement from Sun, or a real patch, or someone to say that this
>patch definitely fixes the problem, or SOMETHING...
>
>I don't know what version of patching Peter was talking about, but right
>now, I can consistently gain root on my Solaris 7 sparc box, with MU2
>applied, using the LC_MESSAGES buffer overflow exploit. And I can
>consistently do Bad Things to sh on a Solaris 2.6 box with 105210-19
>(its a production machine, I can't actively root it).
Both 105210-22 and 105211-22 were released June 25, and list as the bug fixed:
4240566 security: LC_MESSAGES buffer overflow
-scott
