[7578] in bugtraq
Re: Solaris 2.4 pop buffer overrun
daemon@ATHENA.MIT.EDU (Matthew R. Potter)
Fri Aug 7 22:16:14 1998
Date: Fri, 7 Aug 1998 16:29:22 -0400
Reply-To: "Matthew R. Potter" <mpotter@KMFDM.SYSTEM.GIP.NET>
From: "Matthew R. Potter" <mpotter@KMFDM.SYSTEM.GIP.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3.0.32.19980805185505.030f1fcc@pop.mad.servicom.es>
At 06:55 PM 8/5/98 +0200, you wrote:
>An old one I guess known but I never saw it in the list:
>
>Solaris 2.4 popper has an overflow in the username explotaible obviously
>as root.
>It's also easy to get root's shadow entry in the core dumped just failing to
>log as root before overruning the username.
Depending on the revision level of 2.4 the dump will follow symolic and
hard links, So why wait to crack the root password when you can slam a few
files and get a full fledged uid of 0. core() is wack in pre 2.5.1(may 96)
versions.
Matt
