Bugtraq mailing list archives

Solaris libc locale bug exploit against non-exec stack

From: Warning3 <warning3 () mail com>
Date: Tue, 14 Nov 2000 19:27:25 +0800


It seems Sun hasn't supplied the patch for libc locale bug yet.
Many suid programs are affected by this bug, e.g. passwd, eject ,login,
ping, rcp, etc. It is not enough just drop the "eject"'s suid bit.
You are not also safe even if you have enabled non-exec stack protection.
Attachment is the exploit against "/usr/bin/passwd" in Solaris 2.6/7
(SPARC) with non-exec stack protection.

regards,
warning3

Attachment: local_nonexec_sun.c
Description:

Current thread:

Solaris libc locale bug exploit against non-exec stack Warning3 (Nov 15)
- <Possible follow-ups>
- Re: Solaris libc locale bug exploit against non-exec stack Chris Wing (Nov 20)
- Re: Solaris libc locale bug exploit against non-exec stack Christopher Allen Wing (Nov 21)