Bugtraq mailing list archives
Re: ospf_monitor (Solaris 2.5)
From: smm () WPI EDU (Seth Michael McGann)
Date: Thu, 22 Oct 1998 02:25:13 -0400
On Thu, 22 Oct 1998, Seth Michael McGann wrote:
I can confirm that the version in FreeBSD 2.2.6 is indeed vulnerable, the stack is smashed and we are root at the time :(. Fortunately, it is not executable by anyone but root or group ospf. I would venture that solaris x86 is vulnerable. The exploit is trivial, just change the target in your favorite local overflow and exec.
I hate to reply to myself, but: On further inspection, it appears ospf_monitor drops privileges after opening a raw multicast socket, but before it overflows. So basically, no instant root, but you have an open raw socket descriptor, which could be useful. Ah well...
Current thread:
- ospf_monitor (Solaris 2.5) Joel Eriksson (Oct 21)
- Re: ospf_monitor (Solaris 2.5) Seth Michael McGann (Oct 21)
- Re: ospf_monitor (Solaris 2.5) Seth Michael McGann (Oct 21)
- mutt buffer overflow? funkySh (Oct 22)
- Re: ospf_monitor (Solaris 2.5) Seth Michael McGann (Oct 21)