Bugtraq mailing list archives

Re: SunOS 5.6 (X86) lpset vulnerability

From: caj () LFN ORG (Craig Johnston)
Date: Tue, 11 May 1999 22:39:25 -0500


On Tue, 11 May 1999, kim yong-jun homepage=ce.hannam.ac.kr/~s96192 wrote:

This is my second post to ButTraq.
If  this is old, I'm sorry.


It's buffer overflow in "/usr/bin/lpset".

View this command :
[loveyou@/] % /usr/bin/lpset -a key=`perl  -e 'print "x" x 1006'` loveyou

[loveyou@/] % /usr/bin/lpset -a key=`perl  -e 'print "x" x 1007'` loveyou
Segmentation fault


On my Solaris 2.6 and 2.7 systems, unless you are already uid 0 or
are gid 14 lpset bombs before it can dump core, with "Permission
denied: not in group 14."

It dumps core as root.

So apparently this will only get one a gid 14 -> uid 0 upgrade.

I found on my Solaris systems I had already stripped the setuid bit
because we don't use the program and Sun does a truly pathetic job of
rooting the buffer overflows out of their setuid code.

With the number of units of Solaris that are sold, every setuid/setgid
binary on the system should have been audited for overflows.  It's
really pathetic that we are still seeing them.

It's especially cute when Sun ships a new version with holes for which
patches were available for the previous version.  (see 'ufsrestore')

Current thread:

SunOS 5.6 (X86) lpset vulnerability kim yong-jun homepage=ce.hannam.ac.kr/~s96192 (May 10)
- Re: SunOS 5.6 (X86) lpset vulnerability Craig Johnston (May 11)
- Re: SunOS 5.6 (X86) lpset vulnerability Sam Carter (May 13)
- - J.J.F. / Hackers Team warns for SSHD 2.x brute force password Patrick Oonk (May 13)
- Re: SunOS 5.6 (X86) lpset vulnerability Holt Sorenson (May 13)
- SYN floods against FreeBSD Richard Steenbergen (May 13)
- <Possible follow-ups>
- Re: SunOS 5.6 (X86) lpset vulnerability James Edwards (May 13)
- Re: SunOS 5.6 (X86) lpset vulnerability Michael Dooley (May 17)