[9432] in bugtraq
Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat
daemon@ATHENA.MIT.EDU (GANG WANG)
Tue Feb 9 14:45:17 1999
Date: Mon, 8 Feb 1999 18:31:50 -0800
Reply-To: GANG WANG <gang_w@goselecttech.com>
From: GANG WANG <gang_w@GOSELECTTECH.COM>
X-To: plasmoid deep/thc/clb <plasmoid@PIMMEL.COM>
To: BUGTRAQ@NETSPACE.ORG
Things are a little different on Solaris 2.6 Sparc. lpstat only
accepts a buffer which doesn't contain \x20,\x0a or \x3b.
Can sb teach me how to write a shellcode on solaris sparc
without those charaters? I feel that I'm so stupid:-(
G.
-----Original Message-----
From: plasmoid deep/thc/clb <plasmoid@PIMMEL.COM>
To: BUGTRAQ@NETSPACE.ORG <BUGTRAQ@NETSPACE.ORG>
Date: Wednesday, January 27, 1999 11:16 AM
Subject: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat
>
>On Aug/25/98 Sun released the following patches for lp:
>
> Solaris2.6 Sparc: 106235-02
> Solaris2.6 x86: 106236
>
>It is quite sad, that they did not fix another overflow in
>/usr/bin/lpstat. I testified this bug on either Solaris 2.7 x86
>and 2.6 Sparc, I assume that it is also present on Solaris 2.6
>x86 and 2.7 Sparc.
>
>Solaris 2.7 x86
>% plasmoid@gorkie:foo> lpstat -c `perl -e 'print "A" x 998'`
>% UX:lpstat: ERROR: Class
> [...]
>% AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does
>% not exist.
>% TO FIX: Use the "lpstat -c all" command to list
>% all known classes.
>% Segmentation Fault
>% plasmoid@gorkie:foo>
>
>Solaris 2.6 Sparc
>% plasmoid@bock:foo> lpstat -c `perl -e 'print "AAAA" x 250'`
>% UX:lpstat: ERROR: Class
> [...]
>% AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does not
>% exist.
>% TO FIX: Use the "lpstat -c all" command to list
>% all known classes.
>% Segmentation Fault
>% plasmoid@bock:foo>
>
>This overflow is definitly exploitable, i attached the exploit for
>Solaris x86. Quality patches for all Solaris versions can be obtained
>from www.hert.org, a fast security source.
>
>plasmoid deep/thc/clb
>http://thc.inferno.tusculum.edu
>
>
>
