[20274] in bugtraq
Re: Solaris ipcs vulnerability
daemon@ATHENA.MIT.EDU (Filipe Almeida)
Tue Apr 17 15:54:53 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Message-ID: <000301c0c73b$ab372650$26a488c1@rnl.ist.utl.pt>
Date: Tue, 17 Apr 2001 13:41:05 +0100
Reply-To: Filipe Almeida <filipe@IST.UTL.PT>
From: Filipe Almeida <filipe@IST.UTL.PT>
X-To: Robert Sink <sinkr@CBL.UMCES.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <15067.23174.388984.783662@tempermental.cbl.umces.edu>
Hi,
Solaris 7 on sparc 64bits crashes but you need to fill the
buffer with more than 1200 bytes.
The segfault occurs on a ldsb instruction, so I don't know if
its feasible to exploit this bug (Haven't done enough investigation).
Knowdays I'm using wrappers to prevent this kind of exploits
since I can't afford to wait for Sun's patches. If you need a quick
workaround using wrappers drop me a mail and I'll send you a simple
wrapper.
--
Filipe Almeida <filipe@rnl.ist.utl.pt>
aka LiquidK
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM] On
> Behalf Of Robert Sink
> Sent: segunda-feira, 16 de Abril de 2001 21:48
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: Solaris ipcs vulnerability
>
>
> I've tried:
>
> TZ=`/usr/local/bin/perl -e 'print "A"x1107'`
>
> ...on... both 64 bit Solaris 8 and Solaris 7 (we have no 32
> bit machines here) and cannot get the programs to crash.
> They just happily display the A's, plus the other information
> and exit normally.
>
> Solaris 7: SunOS xxx 5.7 Generic_106541-12 sun4u sparc
> Solaris 8: SunOS xxx 5.8 Generic_108528-05 sun4u sparc
>
> I keep the patches on the bleeding edge, but I can find
> nothing offhand in the latest patchdiag.xref that would have
> altered this.
