Bugtraq mailing list archives

Re: Solaris libc exploit

From: oysteivi () TIHLDE ORG (Oystein Viggen)
Date: Sat, 22 May 1999 17:26:47 +0200


On Sat, 22 May 1999, UNYUN@ShadowPenguinSecurity wrote:

Hello.

libc overflows when that handles LC_MESSAGES.
So, If you set the long string to LC_MESSAGES and call
/bin/sh, the core file is dumped.
This is serious problem.

The long string that contains the exploit code is set to
LC_MESSAGES and called suid program by execl(), local user
can get the root privilege. The called suid program have
not to contain the overflow bugs.
I confirmed this bug on Solaris2.6 and Solaris7.
Solaris2.4, 2.5 does not contain this bug.


Didn't work on my Solaris2.6/sparc box.
It just said "Illegal instruction" when using /bin/passwd and segfaulted
when using /bin/su.

Oystein
---
"The only way of discovering the limits of the possible
is to venture a little way past them into the impossible."
- Arthur C. Clarke

Current thread:

Re: Solaris libc exploit Oystein Viggen (May 22)
- <Possible follow-ups>
- Re: Solaris libc exploit acpizer (May 23)
- Re: Solaris libc exploit M.C.Mar (May 23)
- Re: Solaris libc exploit GOMBAS Gabor (May 23)