[8262] in bugtraq
Re: ospf_monitor (Solaris 2.5)
daemon@ATHENA.MIT.EDU (Seth Michael McGann)
Fri Oct 23 17:18:59 1998
Date: Thu, 22 Oct 1998 02:25:13 -0400
Reply-To: Seth Michael McGann <smm@WPI.EDU>
From: Seth Michael McGann <smm@WPI.EDU>
X-To: Joel Eriksson <na98jen@STUDENT.HIG.SE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.OSF.4.02A.9810220049520.20524-100000@reno.WPI.EDU>
On Thu, 22 Oct 1998, Seth Michael McGann wrote:
>
> I can confirm that the version in FreeBSD 2.2.6 is indeed vulnerable, the
> stack is smashed and we are root at the time :(. Fortunately, it is not
> executable by anyone but root or group ospf. I would venture that solaris
> x86 is vulnerable. The exploit is trivial, just change the target in your
> favorite local overflow and exec.
>
I hate to reply to myself, but:
On further inspection, it appears ospf_monitor drops privileges after
opening a raw multicast socket, but before it overflows. So basically, no
instant root, but you have an open raw socket descriptor, which could be
useful. Ah well...
