Bugtraq mailing list archives
Re: sunos rlogin
From: casper () holland Sun COM (Casper Dik)
Date: Thu, 5 Dec 1996 10:10:56 +0100
On both SunOS4 and current Solaris the problem is there, but not on the stack... I was wondering if it might be possible to exploit it under Solaris by overwriting libc's internal variables (like its internal signal handling stuff, maybe sending a SIGPIPE just at the right moment, since rlogin sets a SIGPIPE handler just before doing the offending strcpy()... doesn't Solaris put the real kernel signal handler to an address somewhere in libc, and then use a pointer to call the one the program set? I think I saw this somewhere...).
I believe you'll find that the programs' data segment which contains the TERM buffer and the C library data segment that contains all the data of the C library, both private and exported, are not contguous. What remains is the dynamic linking jump table, but that lives at the beginning of the data segment. (This doesn't make it theoretically impossible yet, but I haven't found an alternative way of doing it; I think I found that there isn't much useful stuff after the term buffer at all. This bug is already fixed in the current development tree that will give 2.6. At this point we so no reason to make a patch. Casper
Current thread:
- Re: sunos rlogin Roger Espel Llima (Dec 04)
- Re: sunos rlogin Casper Dik (Dec 05)
- NFS/mountd minor bug Alan Cox (Dec 05)
- Re: NFS/mountd minor bug Brian Mitchell (Dec 05)
- Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Kevin L Prigge (Dec 05)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Paul B. Henson (Dec 05)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Jody L. Baze (Dec 05)
- Irix NFS fun Foowan (Dec 05)