[3657] in bugtraq
Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit
daemon@ATHENA.MIT.EDU (Joe Zbiciak)
Wed Nov 20 15:40:31 1996
X-Apparently-From: "Not Your Average Joe [tm]" <im14u2c@cegt201.bradley.edu>
X-Apparently-To: You@Wherever.You.Are
Date: Wed, 20 Nov 1996 00:56:04 -0600
Reply-To: Joe Zbiciak <im14u2c@cegt201.bradley.edu>
From: Joe Zbiciak <im14u2c@cegt201.bradley.edu>
X-To: alan@lxorguk.ukuu.org.uk
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <m0vPvX9-0005KkC@lightning.swansea.linux.org.uk> from "Alan Cox"
at Nov 19, 96 07:08:35 pm
And then Alan Cox went and said something like this:
|
|> The exploit does not work on my 2.5.1 Ultra-1. Presumably this is
|> just a matter of getting the machine code right for the platform. ;)
|
|According to Dave Miller (Linux sparc guru) the I & D caches on the ultra
|are not coherent, so you'll need to find a way to flush the I cache.
|
|Alan
|
I would imagine running a couple copies of a program such as the follwing
in the background would keep the data caches pretty well flushed:
main()
{
int playpen[1<<24],i;
while (1) for (i=0;i<(1<<24);i++) playpen[i^0x2a3a4a]=playpen[i]*i+1;
return 0; /* not reached */
}
I'm not sure how you'd flush the I-cache, though, unless you were able
to construct some really nasty straight-line code that was really long.
A program such as the following might generate a suitable program. (This
program *generates* C code, which you would then need to compile.)
main()
{
int i;
printf("main() { int playpen[1<<16]; \n while(1) {\n");
for (i=0;i<(1<<16);i++)
printf("playpen[%d]=playpen[%d]*%d+1;\n",i^0x3a4a,i,(1<<16)-i);
printf("} return 0; }\n");
return 0;
}
Then exploiting the bug would be a matter of "racing" the task-switcher,
to see if it will switch tasks after the stack smash, but before the
spurious jump, so that these other tasks have a chance to flush the caches.
Putting the exploiting call into a loop should run the race for you
automagically.
--Joe Z.
--
:======= Joe Zbiciak =======:
Advice... :- - im14u2c@bradley.edu - -:
Wise man don't need it, : - - - - - http: - - - - - :
fools don't heed it. ://ee1.bradley.edu/~im14u2c/:
:======= DISCLAIMER: =======:
-- Darin S. Lory : -Only crazy people would- :
:= = = -agree with me- = = =:
(504:834 3:15)
