Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X -

[alucard () THOR PLA-NET NET (The Nocturnal Prince)]

On Thu, 13 Mar 1997, Jonathan Sturges wrote:

> I was just testing this on my Solaris 2.5 (SPARC) boxes.  And, it appears
> that if you're running Volume Management (vold), that eject doesn't need
> to be set-UID anyway.
--Ditto on 2.4, which is what we're running here.  Removing the
  setuid bit made the hole a non-issue, and didn't change the way
  the command worked.  I suspect that the automounter might have
  something to do with it...  (Correct me if I'm wrong here...) I assume
  that the setuid is for implementations without automount/volume
  management, where the eject program would need to umount the cd
  itself.  Since the management/automount programs handle the mounting
  and umounting _for_ us, all /bin/eject needs to do is activate the
  mechanics...something for which setuid root isn't needed.

  Something I'm curious about, however: why are the last two chars of the
  shellcode commented out in the 2.4 exploit, and why on earth does it
  still work?

Eg:
> >    "\x91\xd0"/*\x20\x08"*/


--Ed--

   -._.-~alucard () pla-net net-~~-._.-~~-._.-~~-._.If I must die,-~~-._.-~~-
  -._.-~Chief Systems Officer~-._.-~I will encounter darkness as a bride-
 -.http://www.pla-net.net/~alucard/~-._.-~~-.And hug it in my arms_.-~~-