in.comsat buffer overflow in solaris 8

[Robert Weber <robert.weber () COLORADO EDU>]

Systems effected:

        Any system running Solaris 8

Background:
        
        In solaris 8, sun eliminated the wtmp/utmp with the improved
wtmpx/utmpx.  In the update of all programs that read these someone missed
a "char tty[20]" that stores a utmpx-->ut_line[32].  When pty's start
getting high in number comsat dumps core.

So what:

        Well I'm not good enough to somehow put a bad pty in the utmpx and
somehow use the extra 12 chars for an exploit but I think it's shotty
work.  I'd love to see an exploit but it's probaby not possible.  I
reported the bug to sun last year sometime and I've never heard back, other
than "we'll look into fixing it in the next 18-36 months".

Workaround:

        I guess you can use xbiff or a better mail program, It is the 21st
century and all that.


                                                Robert Weber
                                                University of Colorado
                                                UnixOps