Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Solaris libc exploit
From: hume () DEN BOFH HALIFAX NS CA (Brandon Hume)
Date: Wed, 14 Jul 1999 16:16:30 -0300


4118295 LC_* can be used to obtain root access from setuid programs

This is already fixed in Solaris 7 and the following patches for
Solaris 2.6:
  RELEASE     ARCH  PATCH
  5.6         i386  105211-06
  5.6         sparc 105210-06


OK, did I miss the later messages on this topic?  I've been waiting for a
formal announcement from Sun, or a real patch, or someone to say that this
patch definitely fixes the problem, or SOMETHING...

I don't know what version of patching Peter was talking about, but right
now, I can consistently gain root on my Solaris 7 sparc box, with MU2
applied, using the LC_MESSAGES buffer overflow exploit.  And I can
consistently do Bad Things to sh on a Solaris 2.6 box with 105210-19
(its a production machine, I can't actively root it).

I'm praying I missed something.  Did I?

--
Brandon Hume    - hume -> BOFH.Halifax.NS.Ca, http://WWW.BOFH.Halifax.NS.Ca/
                       -> Solaris Snob and general NOCMonkey

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]