Bugtraq mailing list archives

Re: solaris 2.x rdist exploit/ too many humbles :P

From: gilbert () ALLEYCAT VPI HYDRO QC CA (gilbert () ALLEYCAT VPI HYDRO QC CA)
Date: Fri, 14 Aug 1998 12:07:46 -0400


John Mcdonald wrote:


Enclosed is an exploit for a hole in Solaris rdist that I believe the
patch #105667-01 adresses. That patch is for 2.6. I've personally tested
the exploit on 2.6, 2.5.1, and 2.5 machines.


I've tested the rdist exploit on a Sparc 20 w/ Solaris 2.6 unpatched, and
it works. It is foiled however by adding "set noexec_user_stack=1" to
/etc/system.

Stack address: 0xefffe748. Safe address: 0xefffe650 (delta 248).
Jumping to address 0xeffff080 B[1024] E[400] SO[2360]
rdist: line 1: : No such file or directory
gilbert () alleycat vpi hydro qc ca> id
uid=1001(gilbert) gid=10(staff)

--
Patrick Gilbert                                +1 (514) 289-2211.6325
Projets Speciaux / Hydro-Quebec      gilbert () alleycat vpi hydro qc ca
Montreal (QC), Canada CC FC E6 B7 20 7D 6A 11  78 FB 59 86 FE BA 9F 73

Current thread:

Re: solaris 2.x rdist exploit/ too many humbles :P gilbert () ALLEYCAT VPI HYDRO QC CA (Aug 14)
- Re: solaris 2.x rdist exploit/ too many humbles :P Casper Dik (Aug 14)
- crashme on SGI O2 running 6.3 Igor Schein (Aug 14)
- [micq] ICQ Hole (fwd) The big-dog (Aug 14)
- MySQL DoS ? Phear Me (Aug 14)
  - Re: MySQL DoS ? Pablo Luis Bucich (Aug 15)