[7671] in bugtraq
Re: solaris 2.x rdist exploit/ too many humbles :P
daemon@ATHENA.MIT.EDU (gilbert@ALLEYCAT.VPI.HYDRO.QC.CA)
Fri Aug 14 12:47:33 1998
Date: Fri, 14 Aug 1998 12:07:46 -0400
Reply-To: gilbert@ALLEYCAT.VPI.HYDRO.QC.CA
From: gilbert@ALLEYCAT.VPI.HYDRO.QC.CA
To: BUGTRAQ@NETSPACE.ORG
John Mcdonald wrote:
>
> Enclosed is an exploit for a hole in Solaris rdist that I believe the
> patch #105667-01 adresses. That patch is for 2.6. I've personally tested
> the exploit on 2.6, 2.5.1, and 2.5 machines.
I've tested the rdist exploit on a Sparc 20 w/ Solaris 2.6 unpatched, and
it works. It is foiled however by adding "set noexec_user_stack=1" to
/etc/system.
Stack address: 0xefffe748. Safe address: 0xefffe650 (delta 248).
Jumping to address 0xeffff080 B[1024] E[400] SO[2360]
rdist: line 1: : No such file or directory
gilbert@alleycat.vpi.hydro.qc.ca> id
uid=1001(gilbert) gid=10(staff)
--
Patrick Gilbert +1 (514) 289-2211.6325
Projets Speciaux / Hydro-Quebec gilbert@alleycat.vpi.hydro.qc.ca
Montreal (QC), Canada CC FC E6 B7 20 7D 6A 11 78 FB 59 86 FE BA 9F 73
