Bugtraq mailing list archives
Possibly exploitable buffer overflow in Solaris 2.5.1 ps
From: jzbiciak () MICRO TI COM (Joe Zbiciak)
Date: Mon, 28 Apr 1997 03:54:33 -0500
All, In poking around, I discovered it's possible to bus-error /usr/bin/ps on Solaris 2.5.1. (Not certain if any patches affecting ps have been applied to the system I discovered this on.) Giving "-u" a suitably large argument produces the bus error. I've not yet managed to exploit it. Here's my analysis so far: user arg >9 chars: null termination lost, extra garbage in error msg. user arg >32 chars: ps gets completely confused about commandline and prints generic usage information. user arg >95 chars: ps starts segmentation faulting. user arg >100 chars: ps starts bus-erroring. (This is using a commandline of the form 'ps -u aaaaa....aaaa'.) It appears from this that the return address is at offset 96. Now it's just a matter of someone digging out the generic Solaris 'sploit and tuning 'er up. --Joe -- +--------------Joseph Zbiciak--------------+ |- - - - - jzbiciak () micro ti com - - - - -| | - - http://ee1.bradley.edu/~im14u2c/ - - | Not your average "Joe." |- - - - Texas Instruments, Dallas - - - -| +-------#include <std_disclaimer.h>--------+
Current thread:
- Smashing the Stack: prevention? nate (Apr 27)
- Re: Smashing the Stack: prevention? Thomas H. Ptacek (Apr 27)
- Re: Smashing the Stack: prevention? Russell Coker (Apr 28)
- Possibly exploitable buffer overflow in Solaris 2.5.1 ps Joe Zbiciak (Apr 28)
- Re: Possibly exploitable buffer overflow in Solaris 2.5.1 ps Geoffrey KEATING (Apr 29)
- Digital UNIX/Irix mesg problem Tom Leffingwell (Apr 29)
- Re: Digital UNIX/Irix mesg problem John Sheehy (Apr 29)
- Access control on W3C httpd server Peter Lord (Apr 30)
- vulnerabilities in kerberos David Sacerdote (Apr 29)
- Sun Security Bulletin #00139 Sun Security Coordination Team (Apr 29)
- SMASHING THE STACK: PREVENTION? massimo at vnet.ibm.com (Apr 28)
- Re: SMASHING THE STACK: PREVENTION? Alex Belits (Apr 28)
- Re: SMASHING THE STACK: PREVENTION? Thomas H. Ptacek (Apr 29)
- Re: Smashing the Stack: prevention? Thomas H. Ptacek (Apr 27)
- Re: Smashing the Stack: prevention? Tim Newsham (Apr 27)