Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Solaris ld.so possibly vulnerable?
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Tue, 22 Jul 1997 11:47:28 +0200


As for the existance of a stack overrun condition similar to the one
in Linux in the Solaris ld.so, I do not believe this to be the case.

The bug the program you posted triggers is indeed becasue of a call to
strcpy(), however the buffers in question are not on the stack but are
malloc()ed during run time.  (There are some cases where ld.so first calls
strlen() to determine how much memory to ask malloc() for, if I remember
correctly; obviously, the particular instance you've discovered is not one
of those).


The bug is in a routine that formats error messages into a dynamically allocated
buffer.

SInce the buffer will live after the program's data segment, the _iob
(stdioflow) trick won't work on it.

Also, when applied to a set-uid/set-gid program it isn't possible to
force an ld.so error using LD_PRELOAD (ignored) or many of the
other LD_ variables; they're mostly ignored)

However, in some versions of Solaris such errors are generated by the
implementation of dynamically loadable functionality and on such systems
you can crash set-uid executables.


Casper



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]