Bugtraq mailing list archives
Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X -
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Fri, 14 Mar 1997 12:24:39 +0100
Thu Mar 13 21:01:00 EET 1997 - Romania "Hole in /bin/eject - buffer overflow" I exploited the buffer overflow hole in /bin/eject on Solaris 2.X (who have suid exec bit and is owned by root). The buffer overflow problem appears in an internal function media_find(). The result is: any user can gain root shell. So, to prevent /bin/eject exploit, you have to get out suid-exec bit from /bin/eject (that's very simple) and compile a little program like:
This bug is most likely fixed with the following Sun patches: 101907-13: SunOS 5.4: fixes to volume management 101908-13: SunOS 5.4_x86: fixes to volume management 104010-01: SunOS 5.5.1: VolMgt Patch 104011-01: SunOS 5.5.1_x86: VolMgt Patch 104012-01: SunOS 5.5.1_ppc: VolMgt Patch 104015-01: SunOS 5.5: vold filemgr fixes 104016-01: SunOS 5.5_x86: vold filemgr fixes Casper
Current thread:
- Exploit for buffer overflow in /bin/eject - Solaris 2.X - Cristian SCHIPOR (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Jonathan Sturges (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - The Nocturnal Prince (Mar 13)
- Shockwave Security Alert Aleph One (Mar 13)
- Frotpage Extensions and Unix Roland Spatzenegger (Mar 10)
- Re: Frotpage Extensions and Unix M. (Mar 15)
- Re: Shockwave Security Alert Joseph Fish (Mar 14)
- Internet Explorer Bug #4 Aaron Spangler (Mar 14)
- Internet explorer gives your NT password away! Paul Ashton (Mar 14)
- gzip security problem Aleph One (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Jonathan Sturges (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Casper Dik (Mar 14)
- <Possible follow-ups>
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Casper Dik (Mar 14)