Re: Solaris statd exploit?

[Juliano Rizzo <core.lists.incidents () CORE-SDI COM>]

On 31 Aug 2000, Fyodor wrote:


> Generally speaking formatted string vulnerabilities are _NOT_ exploitable
> on sparc platforms they way they are being exploited nowdays on x86.

That's not true, format string bugs are exploitable on sparc with a little
variation of x86 or other archs exploits.

> problem is due to alignment requirements you can not shift the address
> per-byte to write return address,

It isn't necessary to write the return address byte per byte. I think the
best method to write it, is using short ints, then you need only two
addresses to write to and the align isn't any problem. In this way you
avoid the next problem too:

> and due to libc limitations (at least on
> solaris7 and 2.6) you can not write more than 4fc (last time I
> checked) bytes per-call, which means that you can not place higher
> address. (anyone who can prove that I am wrong, I'd be happy to hear this,
> honest! :))

Well, I imagine  you are trying to write the ret address with 4 %n
I dislike that method. I don't understand the 0x4FC limitation may be
you are using something like %.1277d and your printf implementation
overflows with long  precision fields. You could try with %1277c.

Btw, the format strings exploits looks better if you use the $ conversion
form and %hn.
To exploit usfs on sparc may be you should take attention to: big endian
byte order, memory aligment (but isn't a problem) and printf
implementation (problems with $ and printf's overflows)
> So even if you assume that statd on solaris has this sort of problem
> (which looks a lot like a fingerprint of  recently released linux statd
> sploit) you still can sleep well if you're running it on sparcs. :)

Are you sure?

--
Juliano Rizzo <juliano () core-sdi com>
http://julianor.tripod.com
http://www.core-sdi.com



--- For a personal reply use juliano () core-sdi com