Bugtraq mailing list archives

Re: Solaris ld.so possibly vulnerable?

From: casper () HOLLAND SUN COM (Casper Dik)
Date: Tue, 22 Jul 1997 11:47:28 +0200

As for the existance of a stack overrun condition similar to the one
in Linux in the Solaris ld.so, I do not believe this to be the case.

The bug the program you posted triggers is indeed becasue of a call to
strcpy(), however the buffers in question are not on the stack but are
malloc()ed during run time.  (There are some cases where ld.so first calls
strlen() to determine how much memory to ask malloc() for, if I remember
correctly; obviously, the particular instance you've discovered is not one
of those).



The bug is in a routine that formats error messages into a dynamically allocated
buffer.

SInce the buffer will live after the program's data segment, the _iob
(stdioflow) trick won't work on it.

Also, when applied to a set-uid/set-gid program it isn't possible to
force an ld.so error using LD_PRELOAD (ignored) or many of the
other LD_ variables; they're mostly ignored)

However, in some versions of Solaris such errors are generated by the
implementation of dynamically loadable functionality and on such systems
you can crash set-uid executables.


Casper

Current thread:

Solaris ld.so possibly vulnerable? Dan Fleisher (Jul 18)
- Re: Solaris ld.so possibly vulnerable? Illuminatus Primus (Jul 20)
- AIX xlock (Exploit) Bryan P. Self (Jul 20)
- Re: Solaris ld.so possibly vulnerable? Adam Morrison (Jul 21)
  - Re: Solaris ld.so possibly vulnerable? Casper Dik (Jul 22)
- ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Michael Douglass (Jul 21)
  - Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Mfm (Jul 29)
    - Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Corey Lindsly (Jul 29)
  - portability fixes to mSQL patches (fwd) David Sacerdote (Jul 29)