[4167] in bugtraq
Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X -
daemon@ATHENA.MIT.EDU (Casper Dik)
Fri Mar 14 11:00:34 1997
Date: Fri, 14 Mar 1997 12:24:39 +0100
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Thu, 13 Mar 1997 21:15:17 +0200."
<Pine.GSO.3.95.970313211326.23406A-100000@sundy.cs.pub.ro>
>Thu Mar 13 21:01:00 EET 1997 - Romania
>
>"Hole in /bin/eject - buffer overflow"
>
>I exploited the buffer overflow hole in /bin/eject on Solaris 2.X (who
>have suid exec bit and is owned by root). The buffer overflow problem
>appears in an internal function media_find(). The result is: any user can
>gain root shell. So, to prevent /bin/eject exploit, you have to get out
>suid-exec bit from /bin/eject (that's very simple) and compile a little
>program like:
This bug is most likely fixed with the following Sun patches:
101907-13: SunOS 5.4: fixes to volume management
101908-13: SunOS 5.4_x86: fixes to volume management
104010-01: SunOS 5.5.1: VolMgt Patch
104011-01: SunOS 5.5.1_x86: VolMgt Patch
104012-01: SunOS 5.5.1_ppc: VolMgt Patch
104015-01: SunOS 5.5: vold filemgr fixes
104016-01: SunOS 5.5_x86: vold filemgr fixes
Casper
