[4164] in bugtraq
Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X -
daemon@ATHENA.MIT.EDU (The Nocturnal Prince)
Fri Mar 14 02:26:10 1997
Date: Fri, 14 Mar 1997 00:18:31 -0600
Reply-To: The Nocturnal Prince <alucard@THOR.PLA-NET.NET>
From: The Nocturnal Prince <alucard@THOR.PLA-NET.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.SUN.3.91.970313173232.28519D@maui.cc.odu.edu>
On Thu, 13 Mar 1997, Jonathan Sturges wrote:
> I was just testing this on my Solaris 2.5 (SPARC) boxes. And, it appears
> that if you're running Volume Management (vold), that eject doesn't need
> to be set-UID anyway.
>
--Ditto on 2.4, which is what we're running here. Removing the
setuid bit made the hole a non-issue, and didn't change the way
the command worked. I suspect that the automounter might have
something to do with it... (Correct me if I'm wrong here...) I assume
that the setuid is for implementations without automount/volume
management, where the eject program would need to umount the cd
itself. Since the management/automount programs handle the mounting
and umounting _for_ us, all /bin/eject needs to do is activate the
mechanics...something for which setuid root isn't needed.
Something I'm curious about, however: why are the last two chars of the
shellcode commented out in the 2.4 exploit, and why on earth does it
still work?
Eg:
> > "\x91\xd0"/*\x20\x08"*/
--Ed--
-._.-~alucard@pla-net.net-~~-._.-~~-._.-~~-._.If I must die,-~~-._.-~~-
-._.-~Chief Systems Officer~-._.-~I will encounter darkness as a bride-
-.http://www.pla-net.net/~alucard/~-._.-~~-.And hug it in my arms_.-~~-
