Bugtraq mailing list archives
Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit
From: casper () holland Sun COM (Casper Dik)
Date: Tue, 19 Nov 1996 09:30:08 +0100
------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3266.848392146.1@holland>
in nsswitch.conf, but as soon as you add "nis" in there the exploit program just sends things into an infinite loop (it appears).
Indeed; a long standing bug in nis is that if you send quesries over 1K on Solaris 2.x, the nis client hangs for ever. (It also crashes some older NIS servers, so some caution is advised.) As for the bug overflow problem, it is understood and patches will be forthcoming. In the meantime, you may try your luck with the attacked shell script. It modifies the running image of the kernel so that the stack no longer has execute permission. ------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3266.848392146.2@holland> Content-Description: protect_stack #!/bin/sh # # Protect SPARC stack against unwanted exec access # Side effect: growth in data segment also loses exec bit. # This may break some programs. # # Install as: # /etc/init.d/protect_stack # ln /etc/init.d/protect_stack /etc/rc2.d/S07protect_stack # # And all programs except init are protected after the next reboot. # # After installing the scripts, first test with: # # /etc/init.d/protect_stack start # # Then start a new shell and test changes with /usr/proc/bin/pmap. # # csh -fi # % pmap $$ # ...... # 00047000 56K read/write - instead of rwx # 0004D000 32K [ heap ] # ...... # EFFFC000 8K read/write - instead of rwx # EFFFC000 16K [ stack ] # EFFFE000 8K read/write # # # Seems to work on 2.4/2.5/2.5.1 but this may vary by patchlevel. # Not all Sun MMUs support this, but it seems to haev effect on sun4m and # sun4u, probably won't have an effect on sun4c. # # The assembly checking may need tweaking depending on OS level and # patchlevel. # # Casper Dik (Casper.Dik () Holland Sun COM) # # The contents of this file are intended to be read as # an example. This is not a supported product of Sun # Microsystems and no hotline calls will be accepted # which directly relate to this information. # # NO LIABILITY WILL BE ACCEPTED BY SUN MICROSYSTEMS FOR # ANY LOSS (DIRECT OR CONSEQUENTIAL) INCURRED IN ANY WAY # BY ANY PARTY THROUGH THE USE OF THIS INFORMATION. # # NO WARRANTY OF ANY SORT IS IMPLIED OR GIVEN FOR ANY # CODE DERIVED FROM THIS INFORMATION. PATH=/usr/bin:$PATH # # # Set/get values using adb. # getvalue () { echo $1/$2 | adb -k /dev/ksyms /dev/mem | awk "\"$1:\""' == $1 {print $2}' } setvalue () { echo $1/$2$3 | adb -wk /dev/ksyms /dev/mem >/dev/null 2>&1 } # # Check whether setting/unsetting is not dangerous. # check () { map=`getvalue $mapaddr X` zfod=`getvalue $zfodaddr x` if [ "$map" = "$oldmap" -a "$zfod" = "$oldzfod" ] then old=true; else old=false fi if [ "$map" = "$newmap" -a "$zfod" = "$newzfod" ] then new=true else new=false fi } p=`basename $0` mapaddr=map_hunk+8 zfodaddr=zfod_segvn_crargs+0xd # # Instruction should at $mapaddr should be: mov 0xf,%reg or mov 0xb,%reg # this is a synthetic instruction that encodes as or %g0,0xf,$reg # 10rr rrr0 0001 0000 0010 0000 0000 1x11 # # Try and find it at several locations. # for mapaddr in map_hunk+8 map_hunk+0xc do mapval=`getvalue $mapaddr X` case $mapval in [9ab][02468ace]10200[bf]) reg=`expr $mapval : '\(..\)'` break;; esac done if [ -z "$reg" ] then echo "${p}: Instruction doesn't match" 1>&2 exit 1 fi echo "${p}: Instruction prefix set to $reg ($mapval@$mapaddr)" oldmap=${reg}10200f newmap=${reg}10200b oldzfod=f0f newzfod=b0f case "$1" in start) check if $new then echo "${p}: New kernel parameters already set" 1>&2 exit 0 fi if $old then setvalue $mapaddr W $newmap setvalue $zfodaddr w $newzfod echo "${p}: Stack protected" else echo "${p}: Kernel value mismatch $map != $oldmap or $zfod != $oldzfod" 1>&2 exit 1 fi ;; stop) check if $old then echo "${p}: Old kernel parameters already set" 1>&2 exit 0 fi if $new then setvalue $mapaddr W $oldmap setvalue $zfodaddr w $oldzfod echo "${p}: Stack no longer protected" else echo "${p}: Kernel value mismatch $map != $newmap or $zfod != $newzfod" 1>&2 exit 1 fi ;; *) echo "Usage: ${p} [start|stop]" 1>&2 exit 1;; esac ------- =_aaaaaaaaaa0--
Current thread:
- Re: BoS: Magic password of some linux-box(Hardware..), (continued)
- Re: BoS: Magic password of some linux-box(Hardware..) moost () xs4all nl (Nov 20)
- Ascend Killer Program Aleph One (Nov 17)
- Serious hole in Solaris 2.5[.1] gethostbyname() (exploit included) Jeremy Elson (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Craig Raskin (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Paul B. Henson (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Russell Street (Nov 18)
- ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Todd Vierling (Nov 18)
- Re: ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Brian Harvell (Nov 20)
- ssh w/ solaris 2.5.[1] Aleph One (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Mike Battersby (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Casper Dik (Nov 19)
- Futile rexecd holes jaeger (Nov 18)
- Re: Futile rexecd holes Roger Espel Llima (Nov 19)
- Irix: new LicenseManager is safe? No way Yuri Volobuev (Nov 22)
- Re: Futile rexecd holes Jon Peatfield (Nov 22)
- Administratrivia Aleph One (Nov 22)
- Administratrivia Scriptors of DOOM (Nov 23)
- A Stupid script. Efrain Torres (Nov 22)
- A Stupid script. Aleph One (Nov 24)
- AIX lquerypv Aleph One (Nov 25)
- lquerypv fix Troy Bollinger (Nov 25)