Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Solaris ld.so possibly vulnerable?
From: vermont () GATE NET (Illuminatus Primus)
Date: Mon, 21 Jul 1997 01:43:26 -0400


On Fri, 18 Jul 1997, Dan Fleisher wrote:

Hi, here is the results of a test which indicate that Solaris (2.4 at
least) ld.so might be vulnerable to this overflow:

        memset(b, 'A', sizeof(b));

        putenv("LD_PRELOAD=foobar");

        execl(argv[1], b, 0);
        write(2, err2, sizeof(err2));

bash$ sot /bin/sh
Segmentation Fault (core dumped)

I thought sot might be segfaulting before it came time to exec anything
due to the fact that b isnt null terminated, but terminating it didn't
change anything.  Using gdb on sot on slowaris x86:

Program received signal SIGTRAP, Trace/breakpoint trap.
0x8000546a in ?? ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x8000cec2 in ?? () from /usr/lib/libdl.so.1
(gdb)

So something is obviously going haywire in the dynamic loader...



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]