Security Incidents mailing list archives
Re: Solaris statd exploit?
From: Juliano Rizzo <core.lists.incidents () CORE-SDI COM>
Date: Fri, 1 Sep 2000 01:30:29 -0300
On 31 Aug 2000, Fyodor wrote:
Generally speaking formatted string vulnerabilities are _NOT_ exploitable on sparc platforms they way they are being exploited nowdays on x86.
That's not true, format string bugs are exploitable on sparc with a little variation of x86 or other archs exploits.
problem is due to alignment requirements you can not shift the address per-byte to write return address,
It isn't necessary to write the return address byte per byte. I think the best method to write it, is using short ints, then you need only two addresses to write to and the align isn't any problem. In this way you avoid the next problem too:
and due to libc limitations (at least on solaris7 and 2.6) you can not write more than 4fc (last time I checked) bytes per-call, which means that you can not place higher address. (anyone who can prove that I am wrong, I'd be happy to hear this, honest! :))
Well, I imagine you are trying to write the ret address with 4 %n I dislike that method. I don't understand the 0x4FC limitation may be you are using something like %.1277d and your printf implementation overflows with long precision fields. You could try with %1277c. Btw, the format strings exploits looks better if you use the $ conversion form and %hn. To exploit usfs on sparc may be you should take attention to: big endian byte order, memory aligment (but isn't a problem) and printf implementation (problems with $ and printf's overflows)
So even if you assume that statd on solaris has this sort of problem (which looks a lot like a fingerprint of recently released linux statd sploit) you still can sleep well if you're running it on sparcs. :)
Are you sure? -- Juliano Rizzo <juliano () core-sdi com> http://julianor.tripod.com http://www.core-sdi.com --- For a personal reply use juliano () core-sdi com
Current thread:
- Re: Solaris statd exploit? Juliano Rizzo (Sep 01)