[4100] in bugtraq
Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)
daemon@ATHENA.MIT.EDU (Aggelos P. Varvitsiotis)
Thu Feb 27 15:31:37 1997
Date: Thu, 27 Feb 1997 19:44:57 +0200
Reply-To: "Aggelos P. Varvitsiotis" <avarvit@CC.ECE.NTUA.GR>
From: "Aggelos P. Varvitsiotis" <avarvit@CC.ECE.NTUA.GR>
To: BUGTRAQ@netspace.org
Cristian SCHIPOR <skipo@sundy.cs.pub.ro> writes:
>
> An Exploit for a Big Big security hole in passwd ( + yppasswd and nispasswd)
>
> Under Solaris 2.X passwd, yppasswd and nispasswd can be overflowed in
> an internal function ( some like sa_chauthtok() ). Using a buffer
> overflow exploit anyone can gain root access (passwd need suid exec bit
> from root). passwd has a second overflow bug when it is called with
> '-s' option in an internal strcpy().
>
> I written two exploits one for Solaris 2.4 and one for Solaris 2.5 for
> sa_chauthtok() type function ( passwd LEMON_BUFFER ). It's a little trick
> here - the LEMON_BUFFER is shifted in memory with 1 char after exec so it
> must to shift the LEMON_BUFFER in a reverse direction before exec -
> that's happening only for a special combination of the exec args -
> see my exploits.
[exploits deleted]
I verified the exploit on Solaris 2.5.1, when /etc/nsswitch.conf contains
the line
passwd: files
However, as it was the case with the gethostbyname() exploit, when
/etc/nsswitch.conf reads
passwd: files nis
the exploit did not work. It seems than passwd(1) queries the NIS
server and falls into some kind of an infinite loop. Maybe Casper Dik
(who, if I remember well, had an explanation for the gethostbyname()
case) can explain this better than I can.
Can anyone confirm this behavior?
---
a.varvitsiotis@ece.ntua.gr A.Varvitsiotis
ICCS Computer Center
National Technical University of Athens
