[8261] in bugtraq
Re: ospf_monitor (Solaris 2.5)
daemon@ATHENA.MIT.EDU (Seth Michael McGann)
Fri Oct 23 17:18:57 1998
Date: Thu, 22 Oct 1998 00:55:48 -0400
Reply-To: Seth Michael McGann <smm@WPI.EDU>
From: Seth Michael McGann <smm@WPI.EDU>
X-To: Joel Eriksson <na98jen@STUDENT.HIG.SE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.SO4.4.02.9810212127350.27879-100000@stratus>
I can confirm that the version in FreeBSD 2.2.6 is indeed vulnerable, the
stack is smashed and we are root at the time :(. Fortunately, it is not
executable by anyone but root or group ospf. I would venture that solaris
x86 is vulnerable. The exploit is trivial, just change the target in your
favorite local overflow and exec.
On Wed, 21 Oct 1998, Joel Eriksson wrote:
> This looks suspicious:
>
> bash$ ospf_monitor `perl -e 'print "A"x1066'`
> task_get_proto: getprotobyname("ospf") failed, using proto 89
> listening on 0.0.0.0.64527
> Segmentation Fault
>
> bash$ ls -l /usr/bin/ospf_monitor
> -rwsr-xr-x 1 root other 61892 Sep 17 1997
> /usr/bin/ospf_monitor
>
> Has anyone succeded in exploiting this? It sure looks like a
> bufferoverflow to me..
>
> /Joel Eriksson
