Bugtraq mailing list archives
Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)
From: avarvit () CC ECE NTUA GR (Aggelos P. Varvitsiotis)
Date: Thu, 27 Feb 1997 19:44:57 +0200
Cristian SCHIPOR <skipo () sundy cs pub ro> writes:
An Exploit for a Big Big security hole in passwd ( + yppasswd and nispasswd) Under Solaris 2.X passwd, yppasswd and nispasswd can be overflowed in an internal function ( some like sa_chauthtok() ). Using a buffer overflow exploit anyone can gain root access (passwd need suid exec bit from root). passwd has a second overflow bug when it is called with '-s' option in an internal strcpy(). I written two exploits one for Solaris 2.4 and one for Solaris 2.5 for sa_chauthtok() type function ( passwd LEMON_BUFFER ). It's a little trick here - the LEMON_BUFFER is shifted in memory with 1 char after exec so it must to shift the LEMON_BUFFER in a reverse direction before exec - that's happening only for a special combination of the exec args - see my exploits.
[exploits deleted] I verified the exploit on Solaris 2.5.1, when /etc/nsswitch.conf contains the line passwd: files However, as it was the case with the gethostbyname() exploit, when /etc/nsswitch.conf reads passwd: files nis the exploit did not work. It seems than passwd(1) queries the NIS server and falls into some kind of an infinite loop. Maybe Casper Dik (who, if I remember well, had an explanation for the gethostbyname() case) can explain this better than I can. Can anyone confirm this behavior? --- a.varvitsiotis () ece ntua gr A.Varvitsiotis ICCS Computer Center National Technical University of Athens
Current thread:
- Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd) Aggelos P. Varvitsiotis (Feb 27)
- Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd) Casper Dik (Feb 27)
- L0pht: Kerberos 4 Attack tool Gary McGraw (Feb 27)