[20167] in bugtraq
Re: Solaris Xsun buffer overflow vulnerability
daemon@ATHENA.MIT.EDU (Leif Sawyer)
Wed Apr 11 18:53:17 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <BF9651D8732ED311A61D00105A9CA3150446D832@berkeley.gci.com>
Date: Wed, 11 Apr 2001 08:47:36 -0800
Reply-To: Leif Sawyer <lsawyer@GCI.COM>
From: Leif Sawyer <lsawyer@GCI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
> From: eEye Digital Security [mailto:eeye@EEYE.COM]
> Solaris Xsun buffer overflow vulnerability
>
> Discovered and exploited by:
> Riley Hassell riley@eeye.com
>
> Release Date:
> April 10, 2001
>
> Systems Affected:
> Solaris 7/8 (x86 and sparc)
>
> Description:
> Yet some more Solaris spring cleaning...
>
> A buffer overflow was discovered in Xsun. Since Xsun is SUID root,
> exploiting this vulnerability yields root privileges. The
Hmm.
Just a quick check on a couple of the boxen that I've got access to:
(historical reference)
root@okmok> uname -r
5.5.1
root@okmok> dir `which Xsun`
-rwxr-s-r-x 1 root root 729792 Jan 26 21:20
/usr/openwin/bin/Xsun
root@foraker> uname -r
5.6
root@foraker> dir `which Xsun`
-rwxr-s-r-x 1 root root 916792 May 5 2000
/usr/openwin/bin/Xsun
root@wormhole> uname -r
5.8
root@wormhole> dir `which Xsun`
-rwxr-s-r-x 1 root root 1941644 Dec 15 1999
/usr/openwin/bin/Xsun
My Solaris 8 only seems to have the following patches:
root@wormhole> showrev -p | awk '{print $1 $2}'
Patch:108131-03
Patch:108132-03
Don't have a Solaris 7 box to check. Not sure why your Solaris 8 has
a SUID Xsun install, either.
Leif
