mailing list archives
Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)
From: avarvit () CC ECE NTUA GR (Aggelos P. Varvitsiotis)
Date: Thu, 27 Feb 1997 19:44:57 +0200
Cristian SCHIPOR <skipo () sundy cs pub ro> writes:
An Exploit for a Big Big security hole in passwd ( + yppasswd and nispasswd)
Under Solaris 2.X passwd, yppasswd and nispasswd can be overflowed in
an internal function ( some like sa_chauthtok() ). Using a buffer
overflow exploit anyone can gain root access (passwd need suid exec bit
from root). passwd has a second overflow bug when it is called with
'-s' option in an internal strcpy().
I written two exploits one for Solaris 2.4 and one for Solaris 2.5 for
sa_chauthtok() type function ( passwd LEMON_BUFFER ). It's a little trick
here - the LEMON_BUFFER is shifted in memory with 1 char after exec so it
must to shift the LEMON_BUFFER in a reverse direction before exec -
that's happening only for a special combination of the exec args -
see my exploits.
I verified the exploit on Solaris 2.5.1, when /etc/nsswitch.conf contains
However, as it was the case with the gethostbyname() exploit, when
passwd: files nis
the exploit did not work. It seems than passwd(1) queries the NIS
server and falls into some kind of an infinite loop. Maybe Casper Dik
(who, if I remember well, had an explanation for the gethostbyname()
case) can explain this better than I can.
Can anyone confirm this behavior?
a.varvitsiotis () ece ntua gr A.Varvitsiotis
ICCS Computer Center
National Technical University of Athens
- Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd) Aggelos P. Varvitsiotis (Feb 27)