Bugtraq mailing list archives
Re: SunOS 5.6 (X86) lpset vulnerability
From: caj () LFN ORG (Craig Johnston)
Date: Tue, 11 May 1999 22:39:25 -0500
On Tue, 11 May 1999, kim yong-jun homepage=ce.hannam.ac.kr/~s96192 wrote:
This is my second post to ButTraq. If this is old, I'm sorry. It's buffer overflow in "/usr/bin/lpset". View this command : [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1006'` loveyou [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1007'` loveyou Segmentation fault
On my Solaris 2.6 and 2.7 systems, unless you are already uid 0 or are gid 14 lpset bombs before it can dump core, with "Permission denied: not in group 14." It dumps core as root. So apparently this will only get one a gid 14 -> uid 0 upgrade. I found on my Solaris systems I had already stripped the setuid bit because we don't use the program and Sun does a truly pathetic job of rooting the buffer overflows out of their setuid code. With the number of units of Solaris that are sold, every setuid/setgid binary on the system should have been audited for overflows. It's really pathetic that we are still seeing them. It's especially cute when Sun ships a new version with holes for which patches were available for the previous version. (see 'ufsrestore')
Current thread:
- SunOS 5.6 (X86) lpset vulnerability kim yong-jun homepage=ce.hannam.ac.kr/~s96192 (May 10)
- Re: SunOS 5.6 (X86) lpset vulnerability Craig Johnston (May 11)
- Re: SunOS 5.6 (X86) lpset vulnerability Sam Carter (May 13)
- - J.J.F. / Hackers Team warns for SSHD 2.x brute force password Patrick Oonk (May 13)
- Re: SunOS 5.6 (X86) lpset vulnerability Holt Sorenson (May 13)
- SYN floods against FreeBSD Richard Steenbergen (May 13)
- <Possible follow-ups>
- Re: SunOS 5.6 (X86) lpset vulnerability James Edwards (May 13)
- Re: SunOS 5.6 (X86) lpset vulnerability Michael Dooley (May 17)