Bugtraq mailing list archives

Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit

From: newsham () aloha net (Tim Newsham)
Date: Wed, 20 Nov 1996 18:37:36 -1000

The exploit does not work on my 2.5.1 Ultra-1.  Presumably this is
just a matter of getting the machine code right for the platform. ;)


According to Dave Miller (Linux sparc guru) the I & D caches on the ultra
are not coherent, so you'll need to find a way to flush the I cache.


Cache coherency is not the problem here.  The
exploit uses an opcode (twice) that causes an illegal
instruction exception on sun4u.  Replacing the
instruction with something appropriate for sun4u
results in a working exploit.  The instruction is
the "ta" instruction, a working opcode is "ta 8" for
both occurances.

Alan


                                Tim N.

Current thread:

Re: A security issue of a different kind., (continued)
- - - Re: A security issue of a different kind. Jon Peatfield (Nov 27)
    - Re: A security issue of a different kind. Piete Brooks (Nov 27)
    - Major Security Vulnerabilities in Remote CD Databases David J. Meltzer (Nov 26)
    - Re: Major Security Vulnerabilities in Remote CD Databases itudps (Nov 26)
    - lquerypv fix Troy Bollinger (Nov 25)
    - HP Bug of the Week! Aleph One (Nov 23)
    - HP Bug of the Week: OFS Aleph One (Nov 23)
    - Serious BIND resolver problem. Oliver Friedrichs (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Alan Cox (Nov 19)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Joe Zbiciak (Nov 19)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Tim Newsham (Nov 20)
  - Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Jim Dennis (Nov 17)
  - big fat gethostbyname() hole Pete Ashdown (Nov 18)
- sendmail-8.8.3 released Jared Mauch (Nov 17)