Bugtraq mailing list archives
Re: Solaris libc exploit
From: scott () IGC APC ORG (Scott Weikart)
Date: Thu, 15 Jul 1999 14:37:00 -0700
4118295 LC_* can be used to obtain root access from setuid programsThis is already fixed in Solaris 7 and the following patches for Solaris 2.6: RELEASE ARCH PATCH 5.6 i386 105211-06 5.6 sparc 105210-06OK, did I miss the later messages on this topic? I've been waiting for a formal announcement from Sun, or a real patch, or someone to say that this patch definitely fixes the problem, or SOMETHING... I don't know what version of patching Peter was talking about, but right now, I can consistently gain root on my Solaris 7 sparc box, with MU2 applied, using the LC_MESSAGES buffer overflow exploit. And I can consistently do Bad Things to sh on a Solaris 2.6 box with 105210-19 (its a production machine, I can't actively root it).
Both 105210-22 and 105211-22 were released June 25, and list as the bug fixed: 4240566 security: LC_MESSAGES buffer overflow -scott
Current thread:
- Re: Solaris libc exploit Brandon Hume (Jul 14)
- <Possible follow-ups>
- Re: Solaris libc exploit Scott Weikart (Jul 15)