Home page logo

bugtraq logo Bugtraq mailing list archives

Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)
From: avarvit () CC ECE NTUA GR (Aggelos P. Varvitsiotis)
Date: Thu, 27 Feb 1997 19:44:57 +0200

Cristian SCHIPOR <skipo () sundy cs pub ro> writes:

An Exploit for a Big Big security hole in passwd ( + yppasswd and nispasswd)

Under Solaris 2.X passwd, yppasswd and nispasswd can be overflowed in
an internal function ( some like sa_chauthtok() ). Using a buffer
overflow exploit anyone can gain root access (passwd need suid exec bit
from root). passwd has a second  overflow bug  when it is called with
'-s' option in an internal strcpy().

I written two exploits one for Solaris 2.4 and one for Solaris 2.5 for
sa_chauthtok() type function ( passwd LEMON_BUFFER ). It's a little trick
here - the LEMON_BUFFER is shifted in memory with 1 char after exec so it
must to shift the LEMON_BUFFER in a reverse direction before exec -
that's happening only for a special combination of the exec args -
see my exploits.

[exploits deleted]

I verified the exploit on Solaris 2.5.1, when /etc/nsswitch.conf contains
the line

passwd: files

However, as it was the case with the gethostbyname() exploit, when
/etc/nsswitch.conf reads

passwd: files nis

the exploit did not work. It seems than passwd(1) queries the NIS
server and falls into some kind of an infinite loop. Maybe Casper Dik
(who, if I remember well, had an explanation for the gethostbyname()
case) can explain this better than I can.

Can anyone confirm this behavior?

a.varvitsiotis () ece ntua gr                      A.Varvitsiotis
                                             ICCS Computer Center
                                      National Technical University of Athens

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]