[4361] in bugtraq
Possibly exploitable buffer overflow in Solaris 2.5.1 ps
daemon@ATHENA.MIT.EDU (Joe Zbiciak)
Mon Apr 28 23:52:50 1997
Date: Mon, 28 Apr 1997 03:54:33 -0500
Reply-To: Joe Zbiciak <jzbiciak@MICRO.TI.COM>
From: Joe Zbiciak <jzbiciak@MICRO.TI.COM>
To: BUGTRAQ@NETSPACE.ORG
All,
In poking around, I discovered it's possible to bus-error /usr/bin/ps
on Solaris 2.5.1. (Not certain if any patches affecting ps have been
applied to the system I discovered this on.)
Giving "-u" a suitably large argument produces the bus error. I've not
yet managed to exploit it. Here's my analysis so far:
user arg >9 chars: null termination lost, extra garbage in error msg.
user arg >32 chars: ps gets completely confused about commandline and
prints generic usage information.
user arg >95 chars: ps starts segmentation faulting.
user arg >100 chars: ps starts bus-erroring.
(This is using a commandline of the form 'ps -u aaaaa....aaaa'.)
It appears from this that the return address is at offset 96. Now it's
just a matter of someone digging out the generic Solaris 'sploit and
tuning 'er up.
--Joe
--
+--------------Joseph Zbiciak--------------+
|- - - - - jzbiciak@micro.ti.com - - - - -|
| - - http://ee1.bradley.edu/~im14u2c/ - - | Not your average "Joe."
|- - - - Texas Instruments, Dallas - - - -|
+-------#include <std_disclaimer.h>--------+
