Home page logo

bugtraq logo Bugtraq mailing list archives

Re: ospf_monitor (Solaris 2.5)
From: smm () WPI EDU (Seth Michael McGann)
Date: Thu, 22 Oct 1998 02:25:13 -0400

On Thu, 22 Oct 1998, Seth Michael McGann wrote:

I can confirm that the version in FreeBSD 2.2.6 is indeed vulnerable, the
stack is smashed and we are root at the time :(.  Fortunately, it is not
executable by anyone but root or group ospf.  I would venture that solaris
x86 is vulnerable.  The exploit is trivial, just change the target in your
favorite local overflow and exec.

I hate to reply to myself, but:

On further inspection, it appears ospf_monitor drops privileges after
opening a raw multicast socket, but before it overflows.  So basically, no
instant root, but you have an open raw socket descriptor, which could be
useful.  Ah well...

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]