[3661] in bugtraq
Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit
daemon@ATHENA.MIT.EDU (Tim Newsham)
Thu Nov 21 04:16:52 1996
Date: Wed, 20 Nov 1996 18:37:36 -1000
Reply-To: Tim Newsham <newsham@aloha.net>
From: Tim Newsham <newsham@aloha.net>
X-To: alan@lxorguk.ukuu.org.uk
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <m0vPvX9-0005KkC@lightning.swansea.linux.org.uk> from "Alan Cox"
at Nov 19, 96 07:08:35 pm
> > The exploit does not work on my 2.5.1 Ultra-1. Presumably this is
> > just a matter of getting the machine code right for the platform. ;)
>
> According to Dave Miller (Linux sparc guru) the I & D caches on the ultra
> are not coherent, so you'll need to find a way to flush the I cache.
Cache coherency is not the problem here. The
exploit uses an opcode (twice) that causes an illegal
instruction exception on sun4u. Replacing the
instruction with something appropriate for sun4u
results in a working exploit. The instruction is
the "ta" instruction, a working opcode is "ta 8" for
both occurances.
> Alan
Tim N.
