Bugtraq mailing list archives

Solaris libc locale format string exploit

From: "Solar, Eclipse" <solareclipse () PHREEDOM ORG>
Date: Thu, 19 Oct 2000 19:21:59 -0500

On Sep 8, 2000 Warning3 posted an exploit for the Solaris
libc locale format string vulnerability. This was more than
a month ago.

This bug has not been fixed yet. The Securityfocus vulnerability database
shows no patches for the locale bug on Solaris. Sun's website does not
even mention the existance of this bug.

I understand that fixing a bug in the libc library is not trivia,
but it took most Linux vendors just a couple of days to release
updated glibc packages. Sun acts as if nothing really serious has
happaned.

I hope somebody proves me wrong, but Sun doesn't seem to have a
clue about what's going on.

I have written an exploit for the locale vulnerability. It is based on
the exploit code by Warning3, but provides an assistance for
guessing the shell code parameters.

For more information, including usage examples see the paper at
http://www.phreedom.org/solar/locale_sol.txt

Get the source code at http://www.phreedom.org/solar/locale_sol.c
or see the attachment.

Solar Eclipse
Phreedom Magazine
http://www.phreedom.org

Attachment: locale_sol.c
Description:

Current thread:

Solaris libc locale format string exploit Solar, Eclipse (Oct 19)
- Re: Solaris libc locale format string exploit Atro Tossavainen (Oct 20)
  - Re: Solaris libc locale format string exploit Jefferson Ogata (Oct 20)
  - Re: Solaris libc locale format string exploit van der Kooij, Hugo (Oct 20)