Re: sunos rlogin

[espel () clipper ens fr (Roger Espel Llima)]

> > Buffer overrun in rlogin; this has been known (at least to the linux
> > and bsd community) for some months. In at least some versions that
> > buffer is on the stack; an exploit for the old linux rlogin is
> > reported to exist, also, in spite of various difficulties.

On both SunOS4 and current Solaris the problem is there, but not on the
stack...

I was wondering if it might be possible to exploit it under Solaris by
overwriting libc's internal variables (like its internal signal handling
stuff, maybe sending a SIGPIPE just at the right moment, since rlogin
sets a SIGPIPE handler just before doing the offending strcpy()...
doesn't Solaris put the real kernel signal handler to an address
somewhere in libc, and then use a pointer to call the one the program
set?  I think I saw this somewhere...).

> > What causes the SEGV? Unless you're hitting the end of the data
> > segment (and you aren't, if the BSS is in fact 8k further along in
> > that direction) *something*'s getting overwritten.

As far as I could understand, the SEGV came from the strcat(), because
the strcpy() overwrites the string that would normallly get strcatted (a
"/") so it ends up appending an endless string of 'x's onto itself, and
loops until it reaches the end of the BSS.

        -Roger
--
e-mail: roger.espel.llima () ens fr
WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html