Bugtraq mailing list archives

Re: Solaris libc locale bug exploit against non-exec stack

From: Chris Wing <wingc () ENGIN UMICH EDU>
Date: Sat, 18 Nov 2000 18:22:17 -0500

Here is a workaround to the libc locale exploit in Solaris that should
work until Sun releases an official patch:

        http://www-personal.engin.umich.edu/~wingc/patches/fix-libc.c

This program modifies the Solaris libc by writing a null byte into the
first occurrence of the string "NLSPATH". Basically, it disables NLSPATH
entirely, by changing (within libc)

        getenv("NLSPATH")

into
        getenv("")


This is tested on Solaris 2.6 and stops the exploit.

To use it, make a copy of libc and run the program on that copy:

        cc -o fix-libc fix-libc.c
        cp /usr/lib/libc.so.1 some-file-name
        ./fix-libc some-file-name

Note that you should only replace libc 'atomically'; if you remove your
existing libc with a shell command, you won't be able to run another shell
command to put a new one in its place. Solaris 'mv' correctly replaces
libc in place, i.e.:

        cp /usr/lib/libc.so.1 somewhere-backup-file
        mv fixed-libc /usr/lib/libc.so.1


Be careful in any case if you do replace libc!!

-Chris Wing
wingc () engin umich edu

Current thread:

Solaris libc locale bug exploit against non-exec stack Warning3 (Nov 15)
- <Possible follow-ups>
- Re: Solaris libc locale bug exploit against non-exec stack Chris Wing (Nov 20)
- Re: Solaris libc locale bug exploit against non-exec stack Christopher Allen Wing (Nov 21)