Bugtraq mailing list archives
Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit
From: raskin () aoml noaa gov (Craig Raskin)
Date: Mon, 18 Nov 1996 20:29:28 -0500
On Mon, 18 Nov 1996, Jeremy Elson wrote:
I have found what I believe is a very serious security hole in the gethostbyname() function provided in the nsl library of Solaris 2.5 and 2.5.1. The hole allows local users to gain access to a root shell (exploit program provided below). There is a good chance this exploit can be modified to allow a remote attack, but such a method has not yet been found.
After doing some playing around, it looks like this only affects machines with patch level 103615-01 and up. Try backing out of that patch and it should fix the problem. ************************************************************************** Craig Raskin, raskin () aoml noaa gov "A competent and self-confident person Unix System Administrator is incapable of jealousy in anything. U.S. Dept. Of Commerce Jealousy is invariably a symptom of NOAA/AOML, Miami Fl. neurotic insecurity." -- Heinlein
Current thread:
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)., (continued)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Bryan Reece (Nov 17)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Simon Karpen (Nov 17)
- Magic password of some linux-box(Hardware..) Seo Euiseong (Nov 17)
- rplayd on HPUX 10.1 Henrik P Johnson (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) Sergiu Popovici (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) Sergei A. Golubchik (Nov 19)
- Irix: root exploit for LicenseManager Yuri Volobuev (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) moost () xs4all nl (Nov 20)
- Ascend Killer Program Aleph One (Nov 17)
- Serious hole in Solaris 2.5[.1] gethostbyname() (exploit included) Jeremy Elson (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Craig Raskin (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Paul B. Henson (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Russell Street (Nov 18)
- ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Todd Vierling (Nov 18)
- Re: ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Brian Harvell (Nov 20)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Bryan Reece (Nov 17)
- ssh w/ solaris 2.5.[1] Aleph One (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Mike Battersby (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Casper Dik (Nov 19)
- Futile rexecd holes jaeger (Nov 18)
- Re: Futile rexecd holes Roger Espel Llima (Nov 19)
- Irix: new LicenseManager is safe? No way Yuri Volobuev (Nov 22)