Bugtraq mailing list archives
Re: Solaris ld.so possibly vulnerable?
From: adam () MATH TAU AC IL (Adam Morrison)
Date: Mon, 21 Jul 1997 22:43:02 +0300
Hi, here is the results of a test which indicate that Solaris (2.4 at least) ld.so might be vulnerable to this overflow:
I don't think that the Solaris and Linux ld.so share the same code base, so I doubt there'll be a case where you could say ``this overflow'' about them. As for the existance of a stack overrun condition similar to the one in Linux in the Solaris ld.so, I do not believe this to be the case. The bug the program you posted triggers is indeed becasue of a call to strcpy(), however the buffers in question are not on the stack but are malloc()ed during run time. (There are some cases where ld.so first calls strlen() to determine how much memory to ask malloc() for, if I remember correctly; obviously, the particular instance you've discovered is not one of those). It's been a long while since I disassembled Solaris ld.so, but I don't think you could do anything useful with these strcpy()s -- the order in which they are allocated doesn't give you much to work on. I would not bet my life on it, but I do not remember *any* eye popping stack overrun conditions in the dynamic loader. (This does not go to say that there may not be security problems in the Solaris ld.so -- that is something I would never say about any program -- but the specific bug you posted is benign, IMHO.) adam?
Current thread:
- Solaris ld.so possibly vulnerable? Dan Fleisher (Jul 18)
- Re: Solaris ld.so possibly vulnerable? Illuminatus Primus (Jul 20)
- AIX xlock (Exploit) Bryan P. Self (Jul 20)
- Re: Solaris ld.so possibly vulnerable? Adam Morrison (Jul 21)
- Re: Solaris ld.so possibly vulnerable? Casper Dik (Jul 22)
- ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Michael Douglass (Jul 21)
- Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Mfm (Jul 29)
- Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Corey Lindsly (Jul 29)
- portability fixes to mSQL patches (fwd) David Sacerdote (Jul 29)
- Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Mfm (Jul 29)