Bugtraq mailing list archives

Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit

From: im14u2c () cegt201 bradley edu (Joe Zbiciak)
Date: Wed, 20 Nov 1996 00:56:04 -0600


And then Alan Cox went and said something like this:

|
|> The exploit does not work on my 2.5.1 Ultra-1.  Presumably this is
|> just a matter of getting the machine code right for the platform. ;)
|
|According to Dave Miller (Linux sparc guru) the I & D caches on the ultra
|are not coherent, so you'll need to find a way to flush the I cache.
|
|Alan
|

I would imagine running a couple copies of a program such as the follwing
in the background would keep the data caches pretty well flushed:

main()
{
        int playpen[1<<24],i;

        while (1) for (i=0;i<(1<<24);i++) playpen[i^0x2a3a4a]=playpen[i]*i+1;

        return 0; /* not reached */
}

I'm not sure how you'd flush the I-cache, though, unless you were able
to construct some really nasty straight-line code that was really long.
A program such as the following might generate a suitable program.  (This
program *generates* C code, which you would then need to compile.)

main()
{
        int i;
        printf("main() { int playpen[1<<16]; \n while(1) {\n");
        for (i=0;i<(1<<16);i++)
                printf("playpen[%d]=playpen[%d]*%d+1;\n",i^0x3a4a,i,(1<<16)-i);
        printf("} return 0; }\n");

        return 0;
}


Then exploiting the bug would be a matter of "racing" the task-switcher,
to see if it will switch tasks after the stack smash, but before the
spurious jump, so that these other tasks have a chance to flush the caches.
Putting the exploiting call into a loop should run the race for you
automagically.

--Joe Z.

--
                                                :======= Joe Zbiciak =======:
                 Advice...                      :- - im14u2c () bradley edu - -:
           Wise man don't need it,              : - - - - - http: - - - - - :
            fools don't heed it.                ://ee1.bradley.edu/~im14u2c/:
                                                :======= DISCLAIMER: =======:
            -- Darin S. Lory                    : -Only crazy people would- :
                                                := = = -agree with me- = = =:
(504:834 3:15)

Current thread:

Re: BOOTP/DHCP security, (continued)
- - - Re: BOOTP/DHCP security Alan Cox (Nov 27)
    - Re: A security issue of a different kind. Jon Peatfield (Nov 27)
    - Re: A security issue of a different kind. Piete Brooks (Nov 27)
    - Major Security Vulnerabilities in Remote CD Databases David J. Meltzer (Nov 26)
    - Re: Major Security Vulnerabilities in Remote CD Databases itudps (Nov 26)
    - lquerypv fix Troy Bollinger (Nov 25)
    - HP Bug of the Week! Aleph One (Nov 23)
    - HP Bug of the Week: OFS Aleph One (Nov 23)
    - Serious BIND resolver problem. Oliver Friedrichs (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Alan Cox (Nov 19)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Joe Zbiciak (Nov 19)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Tim Newsham (Nov 20)
  - Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Jim Dennis (Nov 17)
  - big fat gethostbyname() hole Pete Ashdown (Nov 18)
- sendmail-8.8.3 released Jared Mauch (Nov 17)