[9290] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat

daemon@ATHENA.MIT.EDU (Casper Dik)
Fri Jan 29 02:40:40 1999

Date: 	Thu, 28 Jan 1999 21:32:28 +0100
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
X-To:         plasmoid deep/thc/clb <plasmoid@PIMMEL.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  Your message of "Tue, 26 Jan 1999 15:02:47 GMT." 
              <Pine.GSO.4.05.9901261448100.548-200000@gorkie>

>On Aug/25/98 Sun released the following patches for lp:
>
> Solaris2.6 Sparc: 106235-02
> Solaris2.6 x86:   106236
>
>It is quite sad, that they did not fix another overflow in
>/usr/bin/lpstat. I testified this bug on either Solaris 2.7 x86
>and 2.6 Sparc, I assume that it is also present on Solaris 2.6
>x86 and 2.7 Sparc.
>
>Solaris 2.7 x86
>% plasmoid@gorkie:foo> lpstat -c `perl -e 'print "A" x 998'`
>% UX:lpstat: ERROR: Class
>                    [...]
>%                   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does
>%                   not exist.
>%           TO FIX: Use the "lpstat -c all" command to list
>%                   all known classes.
>% Segmentation Fault
>% plasmoid@gorkie:foo>


Hm, but if you look at it with truss another picture appears:

It appears that the program that is core dumps is /usr/lib/lp/local/lpstat.
That program is not set-uid.  The intervening shell (hm, someone using
system again???) resets the uid.

9125:   execve("/usr/bin/lpstat", 0xFFBEF3DC, 0xFFBEF3EC)  argc = 3
9125:       *** SUID: ruid/euid/suid = 21782 / 0 / 0  ***
9125:       *** SGID: rgid/egid/sgid = 320 / 320 / 320  ***
9125:    argv: lpstat -c
9125:     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
9126:   execve("/bin/sh", 0xFFBEEB98, 0xFFBEF404)  argc = 3
9126:    argv: sh -c
9126:     /usr/lib/lp/local/lpstat -c xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
9126:   setuid(21782)                                   = 0
9128:   execve("/usr/lib/lp/local/lpstat", 0x0003A654, 0x0003A664)  argc = 3
9128:       *** SUID: ruid/euid/suid = 21782 / 21782 / 21782  ***
9128:    argv: /usr/lib/lp/local/lpstat -c
9128:     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
UX:lpstat: ERROR: Class
                  "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" does
                  not exist.
          TO FIX: Use the "lpstat -c all" command to list
                  all known classes.
9128:       Incurred fault #6, FLTBOUNDS  %pc = 0xFF2B679C
9128:         siginfo: SIGSEGV SEGV_MAPERR addr=0x78787878
9128:       Received signal #11, SIGSEGV [default]
9128:         siginfo: SIGSEGV SEGV_MAPERR addr=0x78787878
9128:           *** process killed ***

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[9290] in bugtraq

Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat

daemon@ATHENA.MIT.EDU (Casper Dik)Fri Jan 29 02:40:40 1999

daemon@ATHENA.MIT.EDU (Casper Dik)
Fri Jan 29 02:40:40 1999
