Possibly exploitable buffer overflow in Solaris 2.5.1 ps

[jzbiciak () MICRO TI COM (Joe Zbiciak)]

All,

In poking around, I discovered it's possible to bus-error /usr/bin/ps
on Solaris 2.5.1.  (Not certain if any patches affecting ps have been
applied to the system I discovered this on.)

Giving "-u" a suitably large argument produces the bus error.  I've not
yet managed to exploit it.  Here's my analysis so far:

user arg >9 chars:   null termination lost, extra garbage in error msg.
user arg >32 chars:  ps gets completely confused about commandline and
                     prints generic usage information.
user arg >95 chars:  ps starts segmentation faulting.
user arg >100 chars: ps starts bus-erroring.

(This is using a commandline of the form 'ps -u aaaaa....aaaa'.)

It appears from this that the return address is at offset 96.  Now it's
just a matter of someone digging out the generic Solaris 'sploit and
tuning 'er up.

--Joe

--
 +--------------Joseph Zbiciak--------------+
 |- - - - - jzbiciak () micro ti com  - - - - -|
 | - - http://ee1.bradley.edu/~im14u2c/ - - |      Not your average "Joe."
 |- - - - Texas Instruments,  Dallas - - - -|
 +-------#include <std_disclaimer.h>--------+