Bugtraq mailing list archives
Re: Solaris libc locale bug exploit against non-exec stack
From: Chris Wing <wingc () ENGIN UMICH EDU>
Date: Sat, 18 Nov 2000 18:22:17 -0500
Here is a workaround to the libc locale exploit in Solaris that should work until Sun releases an official patch: http://www-personal.engin.umich.edu/~wingc/patches/fix-libc.c This program modifies the Solaris libc by writing a null byte into the first occurrence of the string "NLSPATH". Basically, it disables NLSPATH entirely, by changing (within libc) getenv("NLSPATH") into getenv("") This is tested on Solaris 2.6 and stops the exploit. To use it, make a copy of libc and run the program on that copy: cc -o fix-libc fix-libc.c cp /usr/lib/libc.so.1 some-file-name ./fix-libc some-file-name Note that you should only replace libc 'atomically'; if you remove your existing libc with a shell command, you won't be able to run another shell command to put a new one in its place. Solaris 'mv' correctly replaces libc in place, i.e.: cp /usr/lib/libc.so.1 somewhere-backup-file mv fixed-libc /usr/lib/libc.so.1 Be careful in any case if you do replace libc!! -Chris Wing wingc () engin umich edu
Current thread:
- Solaris libc locale bug exploit against non-exec stack Warning3 (Nov 15)
- <Possible follow-ups>
- Re: Solaris libc locale bug exploit against non-exec stack Chris Wing (Nov 20)
- Re: Solaris libc locale bug exploit against non-exec stack Christopher Allen Wing (Nov 21)