Bugtraq mailing list archives
Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X -
From: alucard () THOR PLA-NET NET (The Nocturnal Prince)
Date: Fri, 14 Mar 1997 00:18:31 -0600
On Thu, 13 Mar 1997, Jonathan Sturges wrote:
I was just testing this on my Solaris 2.5 (SPARC) boxes. And, it appears that if you're running Volume Management (vold), that eject doesn't need to be set-UID anyway.
--Ditto on 2.4, which is what we're running here. Removing the setuid bit made the hole a non-issue, and didn't change the way the command worked. I suspect that the automounter might have something to do with it... (Correct me if I'm wrong here...) I assume that the setuid is for implementations without automount/volume management, where the eject program would need to umount the cd itself. Since the management/automount programs handle the mounting and umounting _for_ us, all /bin/eject needs to do is activate the mechanics...something for which setuid root isn't needed. Something I'm curious about, however: why are the last two chars of the shellcode commented out in the 2.4 exploit, and why on earth does it still work? Eg:
"\x91\xd0"/*\x20\x08"*/
--Ed-- -._.-~alucard () pla-net net-~~-._.-~~-._.-~~-._.If I must die,-~~-._.-~~- -._.-~Chief Systems Officer~-._.-~I will encounter darkness as a bride- -.http://www.pla-net.net/~alucard/~-._.-~~-.And hug it in my arms_.-~~-
Current thread:
- Exploit for buffer overflow in /bin/eject - Solaris 2.X - Cristian SCHIPOR (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Jonathan Sturges (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - The Nocturnal Prince (Mar 13)
- Shockwave Security Alert Aleph One (Mar 13)
- Frotpage Extensions and Unix Roland Spatzenegger (Mar 10)
- Re: Frotpage Extensions and Unix M. (Mar 15)
- Re: Shockwave Security Alert Joseph Fish (Mar 14)
- Internet Explorer Bug #4 Aaron Spangler (Mar 14)
- Internet explorer gives your NT password away! Paul Ashton (Mar 14)
- gzip security problem Aleph One (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Jonathan Sturges (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Casper Dik (Mar 14)
- <Possible follow-ups>
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Casper Dik (Mar 14)