Bugtraq mailing list archives
Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit
From: im14u2c () cegt201 bradley edu (Joe Zbiciak)
Date: Wed, 20 Nov 1996 00:56:04 -0600
And then Alan Cox went and said something like this: | |> The exploit does not work on my 2.5.1 Ultra-1. Presumably this is |> just a matter of getting the machine code right for the platform. ;) | |According to Dave Miller (Linux sparc guru) the I & D caches on the ultra |are not coherent, so you'll need to find a way to flush the I cache. | |Alan | I would imagine running a couple copies of a program such as the follwing in the background would keep the data caches pretty well flushed: main() { int playpen[1<<24],i; while (1) for (i=0;i<(1<<24);i++) playpen[i^0x2a3a4a]=playpen[i]*i+1; return 0; /* not reached */ } I'm not sure how you'd flush the I-cache, though, unless you were able to construct some really nasty straight-line code that was really long. A program such as the following might generate a suitable program. (This program *generates* C code, which you would then need to compile.) main() { int i; printf("main() { int playpen[1<<16]; \n while(1) {\n"); for (i=0;i<(1<<16);i++) printf("playpen[%d]=playpen[%d]*%d+1;\n",i^0x3a4a,i,(1<<16)-i); printf("} return 0; }\n"); return 0; } Then exploiting the bug would be a matter of "racing" the task-switcher, to see if it will switch tasks after the stack smash, but before the spurious jump, so that these other tasks have a chance to flush the caches. Putting the exploiting call into a loop should run the race for you automagically. --Joe Z. -- :======= Joe Zbiciak =======: Advice... :- - im14u2c () bradley edu - -: Wise man don't need it, : - - - - - http: - - - - - : fools don't heed it. ://ee1.bradley.edu/~im14u2c/: :======= DISCLAIMER: =======: -- Darin S. Lory : -Only crazy people would- : := = = -agree with me- = = =: (504:834 3:15)
Current thread:
- Re: BOOTP/DHCP security, (continued)
- Re: BOOTP/DHCP security Alan Cox (Nov 27)
- Re: A security issue of a different kind. Jon Peatfield (Nov 27)
- Re: A security issue of a different kind. Piete Brooks (Nov 27)
- Major Security Vulnerabilities in Remote CD Databases David J. Meltzer (Nov 26)
- Re: Major Security Vulnerabilities in Remote CD Databases itudps (Nov 26)
- lquerypv fix Troy Bollinger (Nov 25)
- HP Bug of the Week! Aleph One (Nov 23)
- HP Bug of the Week: OFS Aleph One (Nov 23)
- Serious BIND resolver problem. Oliver Friedrichs (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Alan Cox (Nov 19)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Joe Zbiciak (Nov 19)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Tim Newsham (Nov 20)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Jim Dennis (Nov 17)
- big fat gethostbyname() hole Pete Ashdown (Nov 18)