Bugtraq mailing list archives
Re: Solaris ld.so possibly vulnerable?
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Tue, 22 Jul 1997 11:47:28 +0200
As for the existance of a stack overrun condition similar to the one in Linux in the Solaris ld.so, I do not believe this to be the case. The bug the program you posted triggers is indeed becasue of a call to strcpy(), however the buffers in question are not on the stack but are malloc()ed during run time. (There are some cases where ld.so first calls strlen() to determine how much memory to ask malloc() for, if I remember correctly; obviously, the particular instance you've discovered is not one of those).
The bug is in a routine that formats error messages into a dynamically allocated buffer. SInce the buffer will live after the program's data segment, the _iob (stdioflow) trick won't work on it. Also, when applied to a set-uid/set-gid program it isn't possible to force an ld.so error using LD_PRELOAD (ignored) or many of the other LD_ variables; they're mostly ignored) However, in some versions of Solaris such errors are generated by the implementation of dynamically loadable functionality and on such systems you can crash set-uid executables. Casper
Current thread:
- Solaris ld.so possibly vulnerable? Dan Fleisher (Jul 18)
- Re: Solaris ld.so possibly vulnerable? Illuminatus Primus (Jul 20)
- AIX xlock (Exploit) Bryan P. Self (Jul 20)
- Re: Solaris ld.so possibly vulnerable? Adam Morrison (Jul 21)
- Re: Solaris ld.so possibly vulnerable? Casper Dik (Jul 22)
- ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Michael Douglass (Jul 21)
- Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Mfm (Jul 29)
- Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Corey Lindsly (Jul 29)
- portability fixes to mSQL patches (fwd) David Sacerdote (Jul 29)
- Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Mfm (Jul 29)