Bugtraq mailing list archives
Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit
From: henson () intranet csupomona edu (Paul B. Henson)
Date: Mon, 18 Nov 1996 18:40:58 -0800
I have found what I believe is a very serious security hole in the gethostbyname() function provided in the nsl library of Solaris 2.5 and 2.5.1. The hole allows local users to gain access to a root shell (exploit program provided below). There is a good chance this exploit can be modified to allow a remote attack, but such a method has not yet been found.After doing some playing around, it looks like this only affects machines with patch level 103615-01 and up. Try backing out of that patch and it should fix the problem.
I have some Solaris 2.5 machines at different patch levels (see showrev -p output below), and they're all affected by this bug. Neither one has patch 103615-01 on it. I checked the patch list, and it seems that 103615-* only applies to 2.5.1, not 2.5. A friend of mine has a 2.5 box with *no* patches installed, and he said the exploit program doesn't seem to work on it. Any news on an official patch from Sun? ----- One machine Patch: 102832-01 Obsoletes: Packages: SUNWolrte, SUNWolslb Patch: 102841-01 Obsoletes: Packages: SUNWolrte, SUNWolslb Patch: 102850-01 Obsoletes: Packages: SUNWolrte, SUNWolinc, SUNWolslb Patch: 102835-01 Obsoletes: Packages: SUNWoldst Patch: 102837-01 Obsoletes: Packages: SUNWoldst Patch: 102839-01 Obsoletes: Packages: SUNWoldst Patch: 102846-01 Obsoletes: Packages: SUNWolimt ----- A different machine Patch: 103667-01 Obsoletes: Packages: SUNWcsu, SUNWhea Patch: 103169-06 Obsoletes: Packages: SUNWcsu, SUNWcsr Patch: 103242-04 Obsoletes: Packages: SUNWcsu, SUNWcsr, SUNWarc, SUNWbtool, SUNWhea, SUNWtoo Patch: 103279-02 Obsoletes: , Requires:, 103667-01 Packages: SUNWcsu, SUNWcsr Patch: 103468-01 Obsoletes: Packages: SUNWcsu Patch: 103703-01 Obsoletes: , Requires:, 103667-01 Packages: SUNWcsu Patch: 103815-01 Obsoletes: Packages: SUNWcsu Patch: 103093-06 Obsoletes: 103084-02, 103489-01 Packages: SUNWcsr, SUNWcar Patch: 103447-03 Obsoletes: Packages: SUNWcsr Patch: 102832-01 Obsoletes: Packages: SUNWolrte, SUNWolslb Patch: 102841-01 Obsoletes: Packages: SUNWolrte, SUNWolslb Patch: 102850-01 Obsoletes: Packages: SUNWolrte, SUNWolinc, SUNWolslb Patch: 102832-02 Obsoletes: Packages: SUNWolrte, SUNWolslb Patch: 102835-01 Obsoletes: Packages: SUNWoldst Patch: 102837-01 Obsoletes: Packages: SUNWoldst Patch: 102839-01 Obsoletes: Packages: SUNWoldst Patch: 103300-02 Obsoletes: Packages: SUNWoldst Patch: 102971-01 Obsoletes: Packages: SUNWscpu Patch: 103241-01 Obsoletes: Packages: SUNWbcp Patch: 103746-01 Obsoletes: , Requires:, 103667-01 Packages: SUNWfns Patch: 103266-01 Obsoletes: Packages: SUNWnisu Patch: 103708-01 Obsoletes: , Requires:, 103667-01 Packages: SUNWnisu Patch: 103017-05 Obsoletes: Packages: SUNWssadv, SUNWssaop Patch: 102846-01 Obsoletes: Packages: SUNWolimt ----- -- Paul Henson | System Administrator | Cal Poly Pomona | (909) 869-3781 pbhenson () csupomona edu | finger henson () brick dce csupomona edu for PGP key
Current thread:
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)., (continued)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Simon Karpen (Nov 17)
- Magic password of some linux-box(Hardware..) Seo Euiseong (Nov 17)
- rplayd on HPUX 10.1 Henrik P Johnson (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) Sergiu Popovici (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) Sergei A. Golubchik (Nov 19)
- Irix: root exploit for LicenseManager Yuri Volobuev (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) moost () xs4all nl (Nov 20)
- Ascend Killer Program Aleph One (Nov 17)
- Serious hole in Solaris 2.5[.1] gethostbyname() (exploit included) Jeremy Elson (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Craig Raskin (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Paul B. Henson (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Russell Street (Nov 18)
- ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Todd Vierling (Nov 18)
- Re: ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Brian Harvell (Nov 20)
- ssh w/ solaris 2.5.[1] Aleph One (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Mike Battersby (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Casper Dik (Nov 19)
- Futile rexecd holes jaeger (Nov 18)
- Re: Futile rexecd holes Roger Espel Llima (Nov 19)
- Irix: new LicenseManager is safe? No way Yuri Volobuev (Nov 22)
- Re: Futile rexecd holes Jon Peatfield (Nov 22)