Bugtraq mailing list archives
Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit
From: newsham () aloha net (Tim Newsham)
Date: Wed, 20 Nov 1996 18:37:36 -1000
The exploit does not work on my 2.5.1 Ultra-1. Presumably this is just a matter of getting the machine code right for the platform. ;)According to Dave Miller (Linux sparc guru) the I & D caches on the ultra are not coherent, so you'll need to find a way to flush the I cache.
Cache coherency is not the problem here. The exploit uses an opcode (twice) that causes an illegal instruction exception on sun4u. Replacing the instruction with something appropriate for sun4u results in a working exploit. The instruction is the "ta" instruction, a working opcode is "ta 8" for both occurances.
Alan
Tim N.
Current thread:
- Re: A security issue of a different kind., (continued)
- Re: A security issue of a different kind. Jon Peatfield (Nov 27)
- Re: A security issue of a different kind. Piete Brooks (Nov 27)
- Major Security Vulnerabilities in Remote CD Databases David J. Meltzer (Nov 26)
- Re: Major Security Vulnerabilities in Remote CD Databases itudps (Nov 26)
- lquerypv fix Troy Bollinger (Nov 25)
- HP Bug of the Week! Aleph One (Nov 23)
- HP Bug of the Week: OFS Aleph One (Nov 23)
- Serious BIND resolver problem. Oliver Friedrichs (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Alan Cox (Nov 19)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Joe Zbiciak (Nov 19)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Tim Newsham (Nov 20)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Jim Dennis (Nov 17)
- big fat gethostbyname() hole Pete Ashdown (Nov 18)