mailing list archives
Possibly exploitable buffer overflow in Solaris 2.5.1 ps
From: jzbiciak () MICRO TI COM (Joe Zbiciak)
Date: Mon, 28 Apr 1997 03:54:33 -0500
In poking around, I discovered it's possible to bus-error /usr/bin/ps
on Solaris 2.5.1. (Not certain if any patches affecting ps have been
applied to the system I discovered this on.)
Giving "-u" a suitably large argument produces the bus error. I've not
yet managed to exploit it. Here's my analysis so far:
user arg >9 chars: null termination lost, extra garbage in error msg.
user arg >32 chars: ps gets completely confused about commandline and
prints generic usage information.
user arg >95 chars: ps starts segmentation faulting.
user arg >100 chars: ps starts bus-erroring.
(This is using a commandline of the form 'ps -u aaaaa....aaaa'.)
It appears from this that the return address is at offset 96. Now it's
just a matter of someone digging out the generic Solaris 'sploit and
tuning 'er up.
|- - - - - jzbiciak () micro ti com - - - - -|
| - - http://ee1.bradley.edu/~im14u2c/ - - | Not your average "Joe."
|- - - - Texas Instruments, Dallas - - - -|