Home page logo

bugtraq logo Bugtraq mailing list archives

Possibly exploitable buffer overflow in Solaris 2.5.1 ps
From: jzbiciak () MICRO TI COM (Joe Zbiciak)
Date: Mon, 28 Apr 1997 03:54:33 -0500


In poking around, I discovered it's possible to bus-error /usr/bin/ps
on Solaris 2.5.1.  (Not certain if any patches affecting ps have been
applied to the system I discovered this on.)

Giving "-u" a suitably large argument produces the bus error.  I've not
yet managed to exploit it.  Here's my analysis so far:

user arg >9 chars:   null termination lost, extra garbage in error msg.
user arg >32 chars:  ps gets completely confused about commandline and
                     prints generic usage information.
user arg >95 chars:  ps starts segmentation faulting.
user arg >100 chars: ps starts bus-erroring.

(This is using a commandline of the form 'ps -u aaaaa....aaaa'.)

It appears from this that the return address is at offset 96.  Now it's
just a matter of someone digging out the generic Solaris 'sploit and
tuning 'er up.


 +--------------Joseph Zbiciak--------------+
 |- - - - - jzbiciak () micro ti com  - - - - -|
 | - - http://ee1.bradley.edu/~im14u2c/ - - |      Not your average "Joe."
 |- - - - Texas Instruments,  Dallas - - - -|
 +-------#include <std_disclaimer.h>--------+

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]