Bugtraq mailing list archives
Re: Solaris libc exploit
From: oysteivi () TIHLDE ORG (Oystein Viggen)
Date: Sat, 22 May 1999 17:26:47 +0200
On Sat, 22 May 1999, UNYUN@ShadowPenguinSecurity wrote:
Hello. libc overflows when that handles LC_MESSAGES. So, If you set the long string to LC_MESSAGES and call /bin/sh, the core file is dumped. This is serious problem. The long string that contains the exploit code is set to LC_MESSAGES and called suid program by execl(), local user can get the root privilege. The called suid program have not to contain the overflow bugs. I confirmed this bug on Solaris2.6 and Solaris7. Solaris2.4, 2.5 does not contain this bug.
Didn't work on my Solaris2.6/sparc box. It just said "Illegal instruction" when using /bin/passwd and segfaulted when using /bin/su. Oystein --- "The only way of discovering the limits of the possible is to venture a little way past them into the impossible." - Arthur C. Clarke
Current thread:
- Re: Solaris libc exploit Oystein Viggen (May 22)
- <Possible follow-ups>
- Re: Solaris libc exploit acpizer (May 23)
- Re: Solaris libc exploit M.C.Mar (May 23)
- Re: Solaris libc exploit GOMBAS Gabor (May 23)