[3639] in bugtraq
Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit
daemon@ATHENA.MIT.EDU (Paul B. Henson)
Mon Nov 18 22:26:21 1996
Date: Mon, 18 Nov 1996 18:40:58 -0800
Reply-To: pbhenson@csupomona.edu
From: "Paul B. Henson" <henson@intranet.csupomona.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.SUN.3.91.961118202805.13542A-100000@null> (message from
Craig Raskin on Mon, 18 Nov 1996 20:29:28 -0500)
> > I have found what I believe is a very serious security hole in the
> > gethostbyname() function provided in the nsl library of Solaris 2.5 and
> > 2.5.1. The hole allows local users to gain access to a root shell
> > (exploit program provided below). There is a good chance this exploit can
> > be modified to allow a remote attack, but such a method has not yet been
> > found.
>
> After doing some playing around, it looks like this only affects machines
> with patch level 103615-01 and up. Try backing out of that patch and it
> should fix the problem.
I have some Solaris 2.5 machines at different patch levels (see showrev -p
output below), and they're all affected by this bug. Neither one has patch
103615-01 on it. I checked the patch list, and it seems that 103615-* only
applies to 2.5.1, not 2.5. A friend of mine has a 2.5 box with *no* patches
installed, and he said the exploit program doesn't seem to work on it.
Any news on an official patch from Sun?
----- One machine
Patch: 102832-01 Obsoletes: Packages: SUNWolrte, SUNWolslb
Patch: 102841-01 Obsoletes: Packages: SUNWolrte, SUNWolslb
Patch: 102850-01 Obsoletes: Packages: SUNWolrte, SUNWolinc, SUNWolslb
Patch: 102835-01 Obsoletes: Packages: SUNWoldst
Patch: 102837-01 Obsoletes: Packages: SUNWoldst
Patch: 102839-01 Obsoletes: Packages: SUNWoldst
Patch: 102846-01 Obsoletes: Packages: SUNWolimt
----- A different machine
Patch: 103667-01 Obsoletes: Packages: SUNWcsu, SUNWhea
Patch: 103169-06 Obsoletes: Packages: SUNWcsu, SUNWcsr
Patch: 103242-04 Obsoletes: Packages: SUNWcsu, SUNWcsr, SUNWarc, SUNWbtool, SUNWhea, SUNWtoo
Patch: 103279-02 Obsoletes: , Requires:, 103667-01 Packages: SUNWcsu, SUNWcsr
Patch: 103468-01 Obsoletes: Packages: SUNWcsu
Patch: 103703-01 Obsoletes: , Requires:, 103667-01 Packages: SUNWcsu
Patch: 103815-01 Obsoletes: Packages: SUNWcsu
Patch: 103093-06 Obsoletes: 103084-02, 103489-01 Packages: SUNWcsr, SUNWcar
Patch: 103447-03 Obsoletes: Packages: SUNWcsr
Patch: 102832-01 Obsoletes: Packages: SUNWolrte, SUNWolslb
Patch: 102841-01 Obsoletes: Packages: SUNWolrte, SUNWolslb
Patch: 102850-01 Obsoletes: Packages: SUNWolrte, SUNWolinc, SUNWolslb
Patch: 102832-02 Obsoletes: Packages: SUNWolrte, SUNWolslb
Patch: 102835-01 Obsoletes: Packages: SUNWoldst
Patch: 102837-01 Obsoletes: Packages: SUNWoldst
Patch: 102839-01 Obsoletes: Packages: SUNWoldst
Patch: 103300-02 Obsoletes: Packages: SUNWoldst
Patch: 102971-01 Obsoletes: Packages: SUNWscpu
Patch: 103241-01 Obsoletes: Packages: SUNWbcp
Patch: 103746-01 Obsoletes: , Requires:, 103667-01 Packages: SUNWfns
Patch: 103266-01 Obsoletes: Packages: SUNWnisu
Patch: 103708-01 Obsoletes: , Requires:, 103667-01 Packages: SUNWnisu
Patch: 103017-05 Obsoletes: Packages: SUNWssadv, SUNWssaop
Patch: 102846-01 Obsoletes: Packages: SUNWolimt
-----
--
Paul Henson | System Administrator | Cal Poly Pomona | (909) 869-3781
pbhenson@csupomona.edu | finger henson@brick.dce.csupomona.edu for PGP key
