Bugtraq mailing list archives

Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X -

From: casper () HOLLAND SUN COM (Casper Dik)
Date: Fri, 14 Mar 1997 12:24:39 +0100

Thu  Mar 13 21:01:00 EET 1997  - Romania

"Hole in /bin/eject - buffer overflow"

I exploited the buffer overflow hole in /bin/eject on Solaris 2.X (who
have suid exec bit and is owned by root). The buffer overflow problem
appears in an internal function media_find(). The result is: any user can
gain root shell. So, to prevent /bin/eject exploit, you have to get out
suid-exec bit from /bin/eject (that's very simple) and compile a little
program like:



This bug is most likely fixed with the following Sun patches:


101907-13: SunOS 5.4: fixes to volume management
101908-13: SunOS 5.4_x86: fixes to volume management
104010-01: SunOS 5.5.1: VolMgt Patch
104011-01: SunOS 5.5.1_x86: VolMgt Patch
104012-01: SunOS 5.5.1_ppc: VolMgt Patch
104015-01: SunOS 5.5: vold filemgr fixes
104016-01: SunOS 5.5_x86: vold filemgr fixes


Casper

Current thread:

Exploit for buffer overflow in /bin/eject - Solaris 2.X - Cristian SCHIPOR (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Jonathan Sturges (Mar 13)
  - Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - The Nocturnal Prince (Mar 13)
  - Shockwave Security Alert Aleph One (Mar 13)
    - Frotpage Extensions and Unix Roland Spatzenegger (Mar 10)
    - Re: Frotpage Extensions and Unix M. (Mar 15)
    - Re: Shockwave Security Alert Joseph Fish (Mar 14)
    - Internet Explorer Bug #4 Aaron Spangler (Mar 14)
    - Internet explorer gives your NT password away! Paul Ashton (Mar 14)
  - gzip security problem Aleph One (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Casper Dik (Mar 14)
- <Possible follow-ups>
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Casper Dik (Mar 14)