[13276] in bugtraq
Re: [Hackerslab bug_paper] Solaris chkperm buffer overflow
daemon@ATHENA.MIT.EDU (Brock Tellier)
Fri Jan 7 14:07:21 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Message-Id: <20000106192435.7204.qmail@nw175.netaddress.usa.net>
Date: Thu, 6 Jan 2000 13:24:35 CST
Reply-To: Brock Tellier <btellier@USA.NET>
From: Brock Tellier <btellier@USA.NET>
X-To: "1h?kAX KimYongJun (99A9>w)" <s96192@CE.HANNAM.AC.KR>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
>[Hackerslab bug_paper] Solaris chkperm buffer overflow
>
>[Hackerslab:/users/loveyou/buf]$ chkperm -n `perl -e 'print "x" x 200'`
>Segmentation fault (core dumped)
>
>it is recommended that the suid bit is
>removed from chkperm using command :
>
> chmod 400 /usr/vmsys/bin/chkperm
Hrm, yeah, I found this one some months ago while I was checking out chkperm's
ability to read bin-owned files. After some testing I concluded that, at
least on SPARC, the function where the overflow occurs will exit() before it
is allowed to return (and then return again), meaning that a buffer overflow
exploit is probably not possible. I would be interested to see if anyone came
to a different conclusion.
Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier@usa.net - www.technotronic.com/xnec
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
