Bugtraq mailing list archives

Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit

From: henson () intranet csupomona edu (Paul B. Henson)
Date: Mon, 18 Nov 1996 18:40:58 -0800

I have found what I believe is a very serious security hole in the
gethostbyname() function provided in the nsl library of Solaris 2.5 and
2.5.1.  The hole allows local users to gain access to a root shell
(exploit program provided below).  There is a good chance this exploit can
be modified to allow a remote attack, but such a method has not yet been
found.


After doing some playing around, it looks like this only affects machines
with patch level 103615-01 and up. Try backing out of that patch and it
should fix the problem.


I have some Solaris 2.5 machines at different patch levels (see showrev -p
output below), and they're all affected by this bug. Neither one has patch
103615-01 on it. I checked the patch list, and it seems that 103615-* only
applies to 2.5.1, not 2.5. A friend of mine has a 2.5 box with *no* patches
installed, and he said the exploit program doesn't seem to work on it.

Any news on an official patch from Sun?


----- One machine

Patch: 102832-01  Obsoletes:   Packages: SUNWolrte, SUNWolslb
Patch: 102841-01  Obsoletes:   Packages: SUNWolrte, SUNWolslb
Patch: 102850-01  Obsoletes:   Packages: SUNWolrte, SUNWolinc, SUNWolslb
Patch: 102835-01  Obsoletes:   Packages: SUNWoldst
Patch: 102837-01  Obsoletes:   Packages: SUNWoldst
Patch: 102839-01  Obsoletes:   Packages: SUNWoldst
Patch: 102846-01  Obsoletes:   Packages: SUNWolimt

----- A different machine

Patch: 103667-01  Obsoletes:   Packages: SUNWcsu, SUNWhea
Patch: 103169-06  Obsoletes:   Packages: SUNWcsu, SUNWcsr
Patch: 103242-04  Obsoletes:   Packages: SUNWcsu, SUNWcsr, SUNWarc, SUNWbtool, SUNWhea, SUNWtoo
Patch: 103279-02  Obsoletes: , Requires:, 103667-01  Packages: SUNWcsu, SUNWcsr
Patch: 103468-01  Obsoletes:   Packages: SUNWcsu
Patch: 103703-01  Obsoletes: , Requires:, 103667-01  Packages: SUNWcsu
Patch: 103815-01  Obsoletes:   Packages: SUNWcsu
Patch: 103093-06  Obsoletes: 103084-02, 103489-01  Packages: SUNWcsr, SUNWcar
Patch: 103447-03  Obsoletes:   Packages: SUNWcsr
Patch: 102832-01  Obsoletes:   Packages: SUNWolrte, SUNWolslb
Patch: 102841-01  Obsoletes:   Packages: SUNWolrte, SUNWolslb
Patch: 102850-01  Obsoletes:   Packages: SUNWolrte, SUNWolinc, SUNWolslb
Patch: 102832-02  Obsoletes:   Packages: SUNWolrte, SUNWolslb
Patch: 102835-01  Obsoletes:   Packages: SUNWoldst
Patch: 102837-01  Obsoletes:   Packages: SUNWoldst
Patch: 102839-01  Obsoletes:   Packages: SUNWoldst
Patch: 103300-02  Obsoletes:   Packages: SUNWoldst
Patch: 102971-01  Obsoletes:   Packages: SUNWscpu
Patch: 103241-01  Obsoletes:   Packages: SUNWbcp
Patch: 103746-01  Obsoletes: , Requires:, 103667-01  Packages: SUNWfns
Patch: 103266-01  Obsoletes:   Packages: SUNWnisu
Patch: 103708-01  Obsoletes: , Requires:, 103667-01  Packages: SUNWnisu
Patch: 103017-05  Obsoletes:   Packages: SUNWssadv, SUNWssaop
Patch: 102846-01  Obsoletes:   Packages: SUNWolimt

-----


--
Paul Henson  |  System Administrator  |  Cal Poly Pomona  |  (909) 869-3781
pbhenson () csupomona edu | finger henson () brick dce csupomona edu for PGP key

Current thread:

Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)., (continued)
- - - Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Simon Karpen (Nov 17)
    - Magic password of some linux-box(Hardware..) Seo Euiseong (Nov 17)
    - rplayd on HPUX 10.1 Henrik P Johnson (Nov 19)
    - Re: BoS: Magic password of some linux-box(Hardware..) Sergiu Popovici (Nov 19)
    - Re: BoS: Magic password of some linux-box(Hardware..) Sergei A. Golubchik (Nov 19)
    - Irix: root exploit for LicenseManager Yuri Volobuev (Nov 19)
    - Re: BoS: Magic password of some linux-box(Hardware..) moost () xs4all nl (Nov 20)
    - Ascend Killer Program Aleph One (Nov 17)
    - Serious hole in Solaris 2.5[.1] gethostbyname() (exploit included) Jeremy Elson (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Craig Raskin (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Paul B. Henson (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Russell Street (Nov 18)
    - ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Todd Vierling (Nov 18)
    - Re: ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Brian Harvell (Nov 20)
    - ssh w/ solaris 2.5.[1] Aleph One (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Mike Battersby (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Casper Dik (Nov 19)
    - Futile rexecd holes jaeger (Nov 18)
    - Re: Futile rexecd holes Roger Espel Llima (Nov 19)
    - Irix: new LicenseManager is safe? No way Yuri Volobuev (Nov 22)
    - Re: Futile rexecd holes Jon Peatfield (Nov 22)

(Thread continues...)