Bugtraq mailing list archives
Re: Solaris libc exploit
From: woloszyn () it pl (M.C.Mar)
Date: Sun, 23 May 1999 15:43:54 +0200
On Sat, 22 May 1999, UNYUN@ShadowPenguinSecurity wrote:
Hello. libc overflows when that handles LC_MESSAGES. So, If you set the long string to LC_MESSAGES and call /bin/sh, the core file is dumped. This is serious problem.
Well... $ setenv LC_MESSAGES `perl -e 'print "A"x1024'` $ /bin/sh couldn't set locale correctly $ uname -a SunOS XXXXXX 5.6 Generic_105181-07 sun4u sparc SUNW,Ultra-4
The long string that contains the exploit code is set to LC_MESSAGES and called suid program by execl(), local user can get the root privilege. The called suid program have not to contain the overflow bugs. I confirmed this bug on Solaris2.6 and Solaris7. Solaris2.4, 2.5 does not contain this bug.
Do I need to call it directly by execl???
The following program is an example to get root privilege. This is tested on Solaris2.6 for Sparc edition. This program calls "/bin/passwd", but you can also specify other suid programs such as "/bin/su" or "/bin/rsh".
$ traceroute Error: Aborting! Excessive environment variable length: 'LC_MESSAGES=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' Seems like universal wrapper... Any details? Did I missed something? -- ___________________________________________________________________________ M.C.Mar An NT server can be run by an idiot, and usually is. emsi () it pl "If you can't make it good, make it LOOK good." - Bill Gates Those who do not understand Unix are condemned to reinvent it, poorly. - Henry Spencer, University of Toronto Unix hack
Current thread:
- Re: Solaris libc exploit Oystein Viggen (May 22)
- <Possible follow-ups>
- Re: Solaris libc exploit acpizer (May 23)
- Re: Solaris libc exploit M.C.Mar (May 23)
- Re: Solaris libc exploit GOMBAS Gabor (May 23)