Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules

[casper () HOLLAND SUN COM (Casper Dik)]

> On Thu, 24 Dec 1998, Casper Dik wrote:
> > I'd love it if someone did the "SPARC excercise".  (If you have an
> > x86 exploit, it's not always as easy to maek a SPARC one)


Well, it appears I should never have said that; it let to various
ad hominem attacks.  Please, I'm not a "vendor representative"
it isn't "my" code and "I" am not the person to fix it.  I'm just
trying to help out here.  I guess the irony of the remark was lost to
some.  (As someone else remarked, excercises left to the reader are
left to the read for a single reason most of the time: the author couldn't
figure it out for himself)

As for the KCMS code and fixing it myself, well, I'd love to have the power
to do so, but as it stands, the Sun source code is spread over several
bits all under different control.  Some even under external control.
Not all source code is available on our intranet (hate that word).

> On unpatched Solaris 2.6, sparc:
>
> % uname -a
> SunOS oy 5.6 Generic sun4m sparc SUNW,SPARCstation-20
> % /usr/openwin/bin/kcms_configure -P `perl -e 'print "a" x 9000'` foofoo
> %

> That's it, no seg fault.  Am i doing something wrong?

No, SPARC stack frames are constructed differently.  On Solaris/Intel, all
you need is a return from the function that declared the overflown buffer.

On SPARC, you need to return from the invoking function as well.

The kcms_* program must test & exit before the overflow ends up in a
register.  It may still be possible to craft an overflow for
kcms_configure on SPARC that is exploitable; it's likely not to be as
straightforward as the one on Intel.

Casper