Bugtraq mailing list archives

Re: Solaris libc exploit

From: woloszyn () it pl (M.C.Mar)
Date: Sun, 23 May 1999 15:43:54 +0200


On Sat, 22 May 1999, UNYUN@ShadowPenguinSecurity wrote:

Hello.

libc overflows when that handles LC_MESSAGES.
So, If you set the long string to LC_MESSAGES and call
/bin/sh, the core file is dumped.
This is serious problem.

Well...
$ setenv LC_MESSAGES `perl -e 'print "A"x1024'`
$ /bin/sh
couldn't set locale correctly
$ uname -a
SunOS XXXXXX 5.6 Generic_105181-07 sun4u sparc SUNW,Ultra-4

The long string that contains the exploit code is set to
LC_MESSAGES and called suid program by execl(), local user
can get the root privilege. The called suid program have
not to contain the overflow bugs.
I confirmed this bug on Solaris2.6 and Solaris7.
Solaris2.4, 2.5 does not contain this bug.

Do I need to call it directly by execl???

The following program is an example to get root privilege.
This is tested on Solaris2.6 for Sparc edition.
This program calls "/bin/passwd", but you can also specify
other  suid programs such as "/bin/su" or "/bin/rsh".


$ traceroute
Error: Aborting!
 Excessive environment variable length:
'LC_MESSAGES=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'

Seems like universal wrapper...
Any details? Did I missed something?

--
___________________________________________________________________________
M.C.Mar   An NT server can be run by an idiot, and usually is.   emsi () it pl
      "If you can't make it good, make it LOOK good." - Bill Gates
   Those who do not understand Unix are condemned to reinvent it, poorly.
            - Henry Spencer, University of Toronto Unix hack

Current thread:

Re: Solaris libc exploit Oystein Viggen (May 22)
- <Possible follow-ups>
- Re: Solaris libc exploit acpizer (May 23)
- Re: Solaris libc exploit M.C.Mar (May 23)
- Re: Solaris libc exploit GOMBAS Gabor (May 23)