Bugtraq mailing list archives
Re: [Hackerslab bug_paper] Solaris chkperm buffer overflow
From: teddi () LINUX IS (Theodor Ragnar Gislason)
Date: Fri, 7 Jan 2000 21:47:26 +0000
On Thu, 6 Jan 2000, Brock Tellier wrote:
[Hackerslab bug_paper] Solaris chkperm buffer overflow [Hackerslab:/users/loveyou/buf]$ chkperm -n `perl -e 'print "x" x 200'` Segmentation fault (core dumped) it is recommended that the suid bit is removed from chkperm using command : chmod 400 /usr/vmsys/bin/chkpermHrm, yeah, I found this one some months ago while I was checking out chkperm's ability to read bin-owned files. After some testing I concluded that, at least on SPARC, the function where the overflow occurs will exit() before it is allowed to return (and then return again), meaning that a buffer overflow exploit is probably not possible. I would be interested to see if anyone came to a different conclusion.
I also noticed this bug some time ago under similar circumstances and I concluded that it is _NOT_ exploitable under i386. - DiGiT
Current thread:
- [Hackerslab bug_paper] Solaris chkperm buffer overflow ±è¿ëÁØ KimYongJun (99Á¹¾÷) (Jan 05)
- Re: [Hackerslab bug_paper] Solaris chkperm buffer overflow Darren Reed (Jan 06)
- <Possible follow-ups>
- Re: [Hackerslab bug_paper] Solaris chkperm buffer overflow Brock Tellier (Jan 06)
- Re: [Hackerslab bug_paper] Solaris chkperm buffer overflow Theodor Ragnar Gislason (Jan 07)
- Altavista followup rudi carell (Jan 09)