Vulnerability Development mailing list archives
in.comsat buffer overflow in solaris 8
From: Robert Weber <robert.weber () COLORADO EDU>
Date: Tue, 6 Feb 2001 08:34:32 -0700
Systems effected: Any system running Solaris 8 Background: In solaris 8, sun eliminated the wtmp/utmp with the improved wtmpx/utmpx. In the update of all programs that read these someone missed a "char tty[20]" that stores a utmpx-->ut_line[32]. When pty's start getting high in number comsat dumps core. So what: Well I'm not good enough to somehow put a bad pty in the utmpx and somehow use the extra 12 chars for an exploit but I think it's shotty work. I'd love to see an exploit but it's probaby not possible. I reported the bug to sun last year sometime and I've never heard back, other than "we'll look into fixing it in the next 18-36 months". Workaround: I guess you can use xbiff or a better mail program, It is the 21st century and all that. Robert Weber University of Colorado UnixOps
Current thread:
- in.comsat buffer overflow in solaris 8 Robert Weber (Feb 06)