Bugtraq mailing list archives

Re: Solaris2.6,2.7 dtprintinfo exploits

From: lamontg () RAVEN GENOME WASHINGTON EDU (Lamont Granquist)
Date: Mon, 10 May 1999 13:13:29 -0700


Digital Unix 4.0 through 4.0D w/BL11 (aka patch kit 3) does not appear to
be vulnerable to this problem.  Tested with:

% cat > lpstat
echo "system for lpprn: server.com"
^D
% chmod 755 lpstat
% setenv PATH .:$PATH
% /usr/dt/bin/dtprintinfo -p `perl -e '{ print "A" x 10000 }'`

On Mon, 10 May 1999, UNYUN@ShadowPenguin wrote:

"dtprintinfo" is suid program, the stack buffer can be overflowed by '-p'
option. I made an exploit program that can get root for Intel edition of
Solaris2.6 and Solaris 2.7.




--
Lamont Granquist                       lamontg () genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka

Current thread:

Re: Solaris2.6,2.7 dtprintinfo exploits Lamont Granquist (May 10)
- <Possible follow-ups>
- Re: Solaris2.6,2.7 dtprintinfo exploits Darren J Moffat - Enterprise Services OS Product Support Group (May 14)