Bugtraq mailing list archives
Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit
From: casper () holland Sun COM (Casper Dik)
Date: Tue, 19 Nov 1996 09:30:08 +0100
------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3266.848392146.1@holland>
in nsswitch.conf, but as soon as you add "nis" in there the exploit program just sends things into an infinite loop (it appears).
Indeed; a long standing bug in nis is that if you send quesries over 1K
on Solaris 2.x, the nis client hangs for ever. (It also crashes some
older NIS servers, so some caution is advised.)
As for the bug overflow problem, it is understood and patches will
be forthcoming.
In the meantime, you may try your luck with the attacked shell script.
It modifies the running image of the kernel so that the stack no longer
has execute permission.
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <3266.848392146.2@holland>
Content-Description: protect_stack
#!/bin/sh
#
# Protect SPARC stack against unwanted exec access
# Side effect: growth in data segment also loses exec bit.
# This may break some programs.
#
# Install as:
# /etc/init.d/protect_stack
# ln /etc/init.d/protect_stack /etc/rc2.d/S07protect_stack
#
# And all programs except init are protected after the next reboot.
#
# After installing the scripts, first test with:
#
# /etc/init.d/protect_stack start
#
# Then start a new shell and test changes with /usr/proc/bin/pmap.
#
# csh -fi
# % pmap $$
# ......
# 00047000 56K read/write - instead of rwx
# 0004D000 32K [ heap ]
# ......
# EFFFC000 8K read/write - instead of rwx
# EFFFC000 16K [ stack ]
# EFFFE000 8K read/write
#
#
# Seems to work on 2.4/2.5/2.5.1 but this may vary by patchlevel.
# Not all Sun MMUs support this, but it seems to haev effect on sun4m and
# sun4u, probably won't have an effect on sun4c.
#
# The assembly checking may need tweaking depending on OS level and
# patchlevel.
#
# Casper Dik (Casper.Dik () Holland Sun COM)
#
# The contents of this file are intended to be read as
# an example. This is not a supported product of Sun
# Microsystems and no hotline calls will be accepted
# which directly relate to this information.
#
# NO LIABILITY WILL BE ACCEPTED BY SUN MICROSYSTEMS FOR
# ANY LOSS (DIRECT OR CONSEQUENTIAL) INCURRED IN ANY WAY
# BY ANY PARTY THROUGH THE USE OF THIS INFORMATION.
#
# NO WARRANTY OF ANY SORT IS IMPLIED OR GIVEN FOR ANY
# CODE DERIVED FROM THIS INFORMATION.
PATH=/usr/bin:$PATH
#
#
# Set/get values using adb.
#
getvalue ()
{
echo $1/$2 | adb -k /dev/ksyms /dev/mem | awk "\"$1:\""' == $1 {print $2}'
}
setvalue ()
{
echo $1/$2$3 | adb -wk /dev/ksyms /dev/mem >/dev/null 2>&1
}
#
# Check whether setting/unsetting is not dangerous.
#
check ()
{
map=`getvalue $mapaddr X`
zfod=`getvalue $zfodaddr x`
if [ "$map" = "$oldmap" -a "$zfod" = "$oldzfod" ]
then
old=true;
else
old=false
fi
if [ "$map" = "$newmap" -a "$zfod" = "$newzfod" ]
then
new=true
else
new=false
fi
}
p=`basename $0`
mapaddr=map_hunk+8
zfodaddr=zfod_segvn_crargs+0xd
#
# Instruction should at $mapaddr should be: mov 0xf,%reg or mov 0xb,%reg
# this is a synthetic instruction that encodes as or %g0,0xf,$reg
# 10rr rrr0 0001 0000 0010 0000 0000 1x11
#
# Try and find it at several locations.
#
for mapaddr in map_hunk+8 map_hunk+0xc
do
mapval=`getvalue $mapaddr X`
case $mapval in
[9ab][02468ace]10200[bf])
reg=`expr $mapval : '\(..\)'`
break;;
esac
done
if [ -z "$reg" ]
then
echo "${p}: Instruction doesn't match" 1>&2
exit 1
fi
echo "${p}: Instruction prefix set to $reg ($mapval@$mapaddr)"
oldmap=${reg}10200f
newmap=${reg}10200b
oldzfod=f0f
newzfod=b0f
case "$1" in
start)
check
if $new
then
echo "${p}: New kernel parameters already set" 1>&2
exit 0
fi
if $old
then
setvalue $mapaddr W $newmap
setvalue $zfodaddr w $newzfod
echo "${p}: Stack protected"
else
echo "${p}: Kernel value mismatch $map != $oldmap or $zfod != $oldzfod" 1>&2
exit 1
fi
;;
stop)
check
if $old
then
echo "${p}: Old kernel parameters already set" 1>&2
exit 0
fi
if $new
then
setvalue $mapaddr W $oldmap
setvalue $zfodaddr w $oldzfod
echo "${p}: Stack no longer protected"
else
echo "${p}: Kernel value mismatch $map != $newmap or $zfod != $newzfod" 1>&2
exit 1
fi
;;
*)
echo "Usage: ${p} [start|stop]" 1>&2
exit 1;;
esac
------- =_aaaaaaaaaa0--
Current thread:
- Re: BoS: Magic password of some linux-box(Hardware..), (continued)
- Re: BoS: Magic password of some linux-box(Hardware..) moost () xs4all nl (Nov 20)
- Ascend Killer Program Aleph One (Nov 17)
- Serious hole in Solaris 2.5[.1] gethostbyname() (exploit included) Jeremy Elson (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Craig Raskin (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Paul B. Henson (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Russell Street (Nov 18)
- ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Todd Vierling (Nov 18)
- Re: ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Brian Harvell (Nov 20)
- ssh w/ solaris 2.5.[1] Aleph One (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Mike Battersby (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Casper Dik (Nov 19)
- Futile rexecd holes jaeger (Nov 18)
- Re: Futile rexecd holes Roger Espel Llima (Nov 19)
- Irix: new LicenseManager is safe? No way Yuri Volobuev (Nov 22)
- Re: Futile rexecd holes Jon Peatfield (Nov 22)
- Administratrivia Aleph One (Nov 22)
- Administratrivia Scriptors of DOOM (Nov 23)
- A Stupid script. Efrain Torres (Nov 22)
- A Stupid script. Aleph One (Nov 24)
- AIX lquerypv Aleph One (Nov 25)
- lquerypv fix Troy Bollinger (Nov 25)