Bugtraq mailing list archives

Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit

From: raskin () aoml noaa gov (Craig Raskin)
Date: Mon, 18 Nov 1996 20:29:28 -0500


On Mon, 18 Nov 1996, Jeremy Elson wrote:

I have found what I believe is a very serious security hole in the
gethostbyname() function provided in the nsl library of Solaris 2.5 and
2.5.1.  The hole allows local users to gain access to a root shell
(exploit program provided below).  There is a good chance this exploit can
be modified to allow a remote attack, but such a method has not yet been
found.


After doing some playing around, it looks like this only affects machines
with patch level 103615-01 and up. Try backing out of that patch and it
should fix the problem.

**************************************************************************
Craig Raskin, raskin () aoml noaa gov  "A competent and self-confident person
Unix System Administrator            is incapable of jealousy in anything.
U.S. Dept. Of Commerce               Jealousy is invariably a symptom of
NOAA/AOML, Miami Fl.                 neurotic insecurity." -- Heinlein

Current thread:

Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)., (continued)
- - Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Bryan Reece (Nov 17)
    - Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Simon Karpen (Nov 17)
    - Magic password of some linux-box(Hardware..) Seo Euiseong (Nov 17)
    - rplayd on HPUX 10.1 Henrik P Johnson (Nov 19)
    - Re: BoS: Magic password of some linux-box(Hardware..) Sergiu Popovici (Nov 19)
    - Re: BoS: Magic password of some linux-box(Hardware..) Sergei A. Golubchik (Nov 19)
    - Irix: root exploit for LicenseManager Yuri Volobuev (Nov 19)
    - Re: BoS: Magic password of some linux-box(Hardware..) moost () xs4all nl (Nov 20)
    - Ascend Killer Program Aleph One (Nov 17)
    - Serious hole in Solaris 2.5[.1] gethostbyname() (exploit included) Jeremy Elson (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Craig Raskin (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Paul B. Henson (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Russell Street (Nov 18)
    - ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Todd Vierling (Nov 18)
    - Re: ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Brian Harvell (Nov 20)
    - ssh w/ solaris 2.5.[1] Aleph One (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Mike Battersby (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Casper Dik (Nov 19)
    - Futile rexecd holes jaeger (Nov 18)
    - Re: Futile rexecd holes Roger Espel Llima (Nov 19)
    - Irix: new LicenseManager is safe? No way Yuri Volobuev (Nov 22)

(Thread continues...)