[17693] in bugtraq
Re: Solaris libc locale bug exploit against non-exec stack
daemon@ATHENA.MIT.EDU (Chris Wing)
Sun Nov 19 20:26:45 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0011181755400.30776-100000@penguin.engin.umich.edu>
Date: Sat, 18 Nov 2000 18:22:17 -0500
Reply-To: Chris Wing <wingc@ENGIN.UMICH.EDU>
From: Chris Wing <wingc@ENGIN.UMICH.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Here is a workaround to the libc locale exploit in Solaris that should
work until Sun releases an official patch:
http://www-personal.engin.umich.edu/~wingc/patches/fix-libc.c
This program modifies the Solaris libc by writing a null byte into the
first occurrence of the string "NLSPATH". Basically, it disables NLSPATH
entirely, by changing (within libc)
getenv("NLSPATH")
into
getenv("")
This is tested on Solaris 2.6 and stops the exploit.
To use it, make a copy of libc and run the program on that copy:
cc -o fix-libc fix-libc.c
cp /usr/lib/libc.so.1 some-file-name
./fix-libc some-file-name
Note that you should only replace libc 'atomically'; if you remove your
existing libc with a shell command, you won't be able to run another shell
command to put a new one in its place. Solaris 'mv' correctly replaces
libc in place, i.e.:
cp /usr/lib/libc.so.1 somewhere-backup-file
mv fixed-libc /usr/lib/libc.so.1
Be careful in any case if you do replace libc!!
-Chris Wing
wingc@engin.umich.edu
