[3636] in bugtraq
Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit
daemon@ATHENA.MIT.EDU (Craig Raskin)
Mon Nov 18 21:35:18 1996
Date: Mon, 18 Nov 1996 20:29:28 -0500
Reply-To: Craig Raskin <raskin@aoml.noaa.gov>
From: Craig Raskin <raskin@aoml.noaa.gov>
X-To: Jeremy Elson <jelson@helix.nih.gov>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.SGI.3.95.961118133522.8991B-100000@helix.nih.gov>
On Mon, 18 Nov 1996, Jeremy Elson wrote:
> I have found what I believe is a very serious security hole in the
> gethostbyname() function provided in the nsl library of Solaris 2.5 and
> 2.5.1. The hole allows local users to gain access to a root shell
> (exploit program provided below). There is a good chance this exploit can
> be modified to allow a remote attack, but such a method has not yet been
> found.
After doing some playing around, it looks like this only affects machines
with patch level 103615-01 and up. Try backing out of that patch and it
should fix the problem.
**************************************************************************
Craig Raskin, raskin@aoml.noaa.gov "A competent and self-confident person
Unix System Administrator is incapable of jealousy in anything.
U.S. Dept. Of Commerce Jealousy is invariably a symptom of
NOAA/AOML, Miami Fl. neurotic insecurity." -- Heinlein
