Bugtraq mailing list archives
Re: Solaris ld.so possibly vulnerable?
From: vermont () GATE NET (Illuminatus Primus)
Date: Mon, 21 Jul 1997 01:43:26 -0400
On Fri, 18 Jul 1997, Dan Fleisher wrote:
Hi, here is the results of a test which indicate that Solaris (2.4 at least) ld.so might be vulnerable to this overflow: memset(b, 'A', sizeof(b)); putenv("LD_PRELOAD=foobar"); execl(argv[1], b, 0); write(2, err2, sizeof(err2)); bash$ sot /bin/sh Segmentation Fault (core dumped)
I thought sot might be segfaulting before it came time to exec anything due to the fact that b isnt null terminated, but terminating it didn't change anything. Using gdb on sot on slowaris x86: Program received signal SIGTRAP, Trace/breakpoint trap. 0x8000546a in ?? () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x8000cec2 in ?? () from /usr/lib/libdl.so.1 (gdb) So something is obviously going haywire in the dynamic loader...
Current thread:
- Solaris ld.so possibly vulnerable? Dan Fleisher (Jul 18)
- Re: Solaris ld.so possibly vulnerable? Illuminatus Primus (Jul 20)
- AIX xlock (Exploit) Bryan P. Self (Jul 20)
- Re: Solaris ld.so possibly vulnerable? Adam Morrison (Jul 21)
- Re: Solaris ld.so possibly vulnerable? Casper Dik (Jul 22)
- ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Michael Douglass (Jul 21)
- Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Mfm (Jul 29)
- Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Corey Lindsly (Jul 29)
- portability fixes to mSQL patches (fwd) David Sacerdote (Jul 29)
- Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Mfm (Jul 29)