Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit

Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit

From: Paul B. Henson <henson_at_intranet.csupomona.edu>
Date: Mon, 18 Nov 1996 18:40:58 -0800

> > I have found what I believe is a very serious security hole in the
> > gethostbyname() function provided in the nsl library of Solaris 2.5 and
> > 2.5.1. The hole allows local users to gain access to a root shell
> > (exploit program provided below). There is a good chance this exploit can
> > be modified to allow a remote attack, but such a method has not yet been
> > found.
>
> After doing some playing around, it looks like this only affects machines
> with patch level 103615-01 and up. Try backing out of that patch and it
> should fix the problem.

I have some Solaris 2.5 machines at different patch levels (see showrev -p
output below), and they're all affected by this bug. Neither one has patch
103615-01 on it. I checked the patch list, and it seems that 103615-* only
applies to 2.5.1, not 2.5. A friend of mine has a 2.5 box with *no* patches
installed, and he said the exploit program doesn't seem to work on it.

Any news on an official patch from Sun?

----- One machine

Patch: 102832-01 Obsoletes: Packages: SUNWolrte, SUNWolslb
Patch: 102841-01 Obsoletes: Packages: SUNWolrte, SUNWolslb
Patch: 102850-01 Obsoletes: Packages: SUNWolrte, SUNWolinc, SUNWolslb
Patch: 102835-01 Obsoletes: Packages: SUNWoldst
Patch: 102837-01 Obsoletes: Packages: SUNWoldst
Patch: 102839-01 Obsoletes: Packages: SUNWoldst
Patch: 102846-01 Obsoletes: Packages: SUNWolimt

----- A different machine

Patch: 103667-01 Obsoletes: Packages: SUNWcsu, SUNWhea
Patch: 103169-06 Obsoletes: Packages: SUNWcsu, SUNWcsr
Patch: 103242-04 Obsoletes: Packages: SUNWcsu, SUNWcsr, SUNWarc, SUNWbtool, SUNWhea, SUNWtoo
Patch: 103279-02 Obsoletes: , Requires:, 103667-01 Packages: SUNWcsu, SUNWcsr
Patch: 103468-01 Obsoletes: Packages: SUNWcsu
Patch: 103703-01 Obsoletes: , Requires:, 103667-01 Packages: SUNWcsu
Patch: 103815-01 Obsoletes: Packages: SUNWcsu
Patch: 103093-06 Obsoletes: 103084-02, 103489-01 Packages: SUNWcsr, SUNWcar
Patch: 103447-03 Obsoletes: Packages: SUNWcsr
Patch: 102832-01 Obsoletes: Packages: SUNWolrte, SUNWolslb
Patch: 102841-01 Obsoletes: Packages: SUNWolrte, SUNWolslb
Patch: 102850-01 Obsoletes: Packages: SUNWolrte, SUNWolinc, SUNWolslb
Patch: 102832-02 Obsoletes: Packages: SUNWolrte, SUNWolslb
Patch: 102835-01 Obsoletes: Packages: SUNWoldst
Patch: 102837-01 Obsoletes: Packages: SUNWoldst
Patch: 102839-01 Obsoletes: Packages: SUNWoldst
Patch: 103300-02 Obsoletes: Packages: SUNWoldst
Patch: 102971-01 Obsoletes: Packages: SUNWscpu
Patch: 103241-01 Obsoletes: Packages: SUNWbcp
Patch: 103746-01 Obsoletes: , Requires:, 103667-01 Packages: SUNWfns
Patch: 103266-01 Obsoletes: Packages: SUNWnisu
Patch: 103708-01 Obsoletes: , Requires:, 103667-01 Packages: SUNWnisu
Patch: 103017-05 Obsoletes: Packages: SUNWssadv, SUNWssaop
Patch: 102846-01 Obsoletes: Packages: SUNWolimt

----- 

--
Paul Henson  |  System Administrator  |  Cal Poly Pomona  |  (909) 869-3781
pbhenson_at_csupomona.edu | finger henson_at_brick.dce.csupomona.edu for PGP key
Received on Nov 18 1996
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos