Bugtraq mailing list archives
Re: sunos rlogin
From: espel () clipper ens fr (Roger Espel Llima)
Date: Thu, 5 Dec 1996 01:03:17 +0100
Buffer overrun in rlogin; this has been known (at least to the linux and bsd community) for some months. In at least some versions that buffer is on the stack; an exploit for the old linux rlogin is reported to exist, also, in spite of various difficulties.
On both SunOS4 and current Solaris the problem is there, but not on the stack... I was wondering if it might be possible to exploit it under Solaris by overwriting libc's internal variables (like its internal signal handling stuff, maybe sending a SIGPIPE just at the right moment, since rlogin sets a SIGPIPE handler just before doing the offending strcpy()... doesn't Solaris put the real kernel signal handler to an address somewhere in libc, and then use a pointer to call the one the program set? I think I saw this somewhere...).
What causes the SEGV? Unless you're hitting the end of the data segment (and you aren't, if the BSS is in fact 8k further along in that direction) *something*'s getting overwritten.
As far as I could understand, the SEGV came from the strcat(), because the strcpy() overwrites the string that would normallly get strcatted (a "/") so it ends up appending an endless string of 'x's onto itself, and loops until it reaches the end of the BSS. -Roger -- e-mail: roger.espel.llima () ens fr WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html
Current thread:
- Re: sunos rlogin Roger Espel Llima (Dec 04)
- Re: sunos rlogin Casper Dik (Dec 05)
- NFS/mountd minor bug Alan Cox (Dec 05)
- Re: NFS/mountd minor bug Brian Mitchell (Dec 05)
- Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Kevin L Prigge (Dec 05)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Paul B. Henson (Dec 05)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Jody L. Baze (Dec 05)
- Irix NFS fun Foowan (Dec 05)