[22779] in bugtraq
Re: OpenUNIX 8 & Unixware possible local root
daemon@ATHENA.MIT.EDU (Rob Bartlett - CPRE EMEA)
Wed Oct 3 16:02:18 2001
Message-Id: <200110031659.f93GxDc19725@montgomery.UK.Sun.COM>
To: bugtraq@securityfocus.com
Cc: "Cushing, David" <David.Cushing@hitachisoftware.com>
In-Reply-To: Message from "Cushing, David" <David.Cushing@hitachisoftware.com>
of "Wed, 03 Oct 2001 11:12:52 EDT." <3587D6FDF44881459313970A8DE75A81155242@Exchange.ne.hi.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 03 Oct 2001 17:59:13 +0100
From: Rob Bartlett - CPRE EMEA <rob.bartlett@Sun.COM>
David Cushing said:
> I was able to reproduce this on a Solaris 8 sparc machine with
> different tolerances:
>
> [288] uname -a
> SunOS hostname 5.8 Generic_108528-08 sun4u sparc SUNW,Ultra-60
> [289] /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1083'`
> Segmentation Fault(coredump)
> [297] /usr/dt/bin/dtterm -tn `perl -e 'print "A"x2083'`
> Bus Error(coredump)
Although the above is indeed the case:
# uname -a
SunOS hostname 5.8 Generic_108528-07 sun4u sparc SUNW,Sun-Fire
# ls -l /usr/dt/bin/dtterm
-r-xr-xr-x 1 bin bin 47312 Dec 2 1999 /usr/dt/bin/dtterm
# egrep dtterm SUNWdtbas/pkgmap
1 f none dt/bin/dtterm 0555 bin bin 47312 21292 944116615
1 f none dt/config/dtterm.tc 0444 bin bin 696 54239 944111243
1 f none dt/config/dtterm.ti 0444 bin bin 1382 37571 944111243
This means that provided you have a default install, root compromise is not
possible on Solaris 8.
Regards,
Rob
--
Sun Microsystems CPRE-EMEA Weave a circle round him thrice,
mailto: Rob.Bartlett@Sun.COM And close your eyes with holy dread,
Tel: +44 1276-455-299 For he on honey-dew hath fed,
Mobile: +44 7710-901-702 And drunk the milk of Paradise.
