Bugtraq mailing list archives
Solaris libc locale bug exploit against non-exec stack
From: Warning3 <warning3 () mail com>
Date: Tue, 14 Nov 2000 19:27:25 +0800
It seems Sun hasn't supplied the patch for libc locale bug yet. Many suid programs are affected by this bug, e.g. passwd, eject ,login, ping, rcp, etc. It is not enough just drop the "eject"'s suid bit. You are not also safe even if you have enabled non-exec stack protection. Attachment is the exploit against "/usr/bin/passwd" in Solaris 2.6/7 (SPARC) with non-exec stack protection. regards, warning3
Attachment:
local_nonexec_sun.c
Description:
Current thread:
- Solaris libc locale bug exploit against non-exec stack Warning3 (Nov 15)
- <Possible follow-ups>
- Re: Solaris libc locale bug exploit against non-exec stack Chris Wing (Nov 20)
- Re: Solaris libc locale bug exploit against non-exec stack Christopher Allen Wing (Nov 21)