[3739] in bugtraq
Re: sunos rlogin
daemon@ATHENA.MIT.EDU (Roger Espel Llima)
Wed Dec 4 19:49:27 1996
Date: Thu, 5 Dec 1996 01:03:17 +0100
Reply-To: Roger Espel Llima <espel@clipper.ens.fr>
From: Roger Espel Llima <espel@clipper.ens.fr>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199612042127.QAA09599@burgundy.eecs.harvard.edu> from "David
Holland" at Dec 4, 96 04:27:15 pm
>> Buffer overrun in rlogin; this has been known (at least to the linux
>> and bsd community) for some months. In at least some versions that
>> buffer is on the stack; an exploit for the old linux rlogin is
>> reported to exist, also, in spite of various difficulties.
On both SunOS4 and current Solaris the problem is there, but not on the
stack...
I was wondering if it might be possible to exploit it under Solaris by
overwriting libc's internal variables (like its internal signal handling
stuff, maybe sending a SIGPIPE just at the right moment, since rlogin
sets a SIGPIPE handler just before doing the offending strcpy()...
doesn't Solaris put the real kernel signal handler to an address
somewhere in libc, and then use a pointer to call the one the program
set? I think I saw this somewhere...).
>> What causes the SEGV? Unless you're hitting the end of the data
>> segment (and you aren't, if the BSS is in fact 8k further along in
>> that direction) *something*'s getting overwritten.
As far as I could understand, the SEGV came from the strcat(), because
the strcpy() overwrites the string that would normallly get strcatted (a
"/") so it ends up appending an endless string of 'x's onto itself, and
loops until it reaches the end of the BSS.
-Roger
--
e-mail: roger.espel.llima@ens.fr
WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html
