mailing list archives
Re: ospf_monitor (Solaris 2.5)
From: smm () WPI EDU (Seth Michael McGann)
Date: Thu, 22 Oct 1998 02:25:13 -0400
On Thu, 22 Oct 1998, Seth Michael McGann wrote:
I can confirm that the version in FreeBSD 2.2.6 is indeed vulnerable, the
stack is smashed and we are root at the time :(. Fortunately, it is not
executable by anyone but root or group ospf. I would venture that solaris
x86 is vulnerable. The exploit is trivial, just change the target in your
favorite local overflow and exec.
I hate to reply to myself, but:
On further inspection, it appears ospf_monitor drops privileges after
opening a raw multicast socket, but before it overflows. So basically, no
instant root, but you have an open raw socket descriptor, which could be
useful. Ah well...