Re: [Hackerslab bug_paper] Solaris chkperm buffer overflow

[teddi () LINUX IS (Theodor Ragnar Gislason)]

On Thu, 6 Jan 2000, Brock Tellier wrote:

> > [Hackerslab bug_paper] Solaris chkperm buffer overflow
> >
> > [Hackerslab:/users/loveyou/buf]$ chkperm -n `perl -e 'print "x" x 200'`
> > Segmentation fault (core dumped)
> >
> > it is recommended that  the suid bit is
> > removed from chkperm using command :
> >
> > chmod 400 /usr/vmsys/bin/chkperm
>
> Hrm, yeah, I found this one some months ago while I was checking out chkperm's
> ability to read bin-owned files.  After some testing I concluded that, at
> least on SPARC, the function where the overflow occurs will exit() before it
> is allowed to return (and then return again), meaning that a buffer overflow
> exploit is probably not possible.  I would be interested to see if anyone came
> to a different conclusion.

I also noticed this bug some time ago under similar circumstances and I
concluded that it is _NOT_ exploitable under i386.

-

DiGiT