[13300] in bugtraq
Re: [Hackerslab bug_paper] Solaris chkperm buffer overflow
daemon@ATHENA.MIT.EDU (Theodor Ragnar Gislason)
Mon Jan 10 23:20:24 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.96.1000107214503.31036A-100000@carma.isirc.is>
Date: Fri, 7 Jan 2000 21:47:26 +0000
Reply-To: Theodor Ragnar Gislason <teddi@LINUX.IS>
From: Theodor Ragnar Gislason <teddi@LINUX.IS>
X-To: Brock Tellier <btellier@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000106192435.7204.qmail@nw175.netaddress.usa.net>
On Thu, 6 Jan 2000, Brock Tellier wrote:
> >[Hackerslab bug_paper] Solaris chkperm buffer overflow
> >
> >[Hackerslab:/users/loveyou/buf]$ chkperm -n `perl -e 'print "x" x 200'`
> >Segmentation fault (core dumped)
> >
> >it is recommended that the suid bit is
> >removed from chkperm using command :
> >
> > chmod 400 /usr/vmsys/bin/chkperm
>
> Hrm, yeah, I found this one some months ago while I was checking out chkperm's
> ability to read bin-owned files. After some testing I concluded that, at
> least on SPARC, the function where the overflow occurs will exit() before it
> is allowed to return (and then return again), meaning that a buffer overflow
> exploit is probably not possible. I would be interested to see if anyone came
> to a different conclusion.
I also noticed this bug some time ago under similar circumstances and I
concluded that it is _NOT_ exploitable under i386.
-
DiGiT
