Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Solaris/SPARC 2.7 lpset exploit (well not likely !)
From: Casper.Dik () HOLLAND SUN COM (Casper Dik)
Date: Mon, 1 May 2000 17:08:59 +0200


lpset seems to use strcat() to pass the argument for -r flag
( /usr/lib/print/lib/../../../../tmp/foo) and appends .so to the end.
in this case /tmp/foo.so is going to be dlopen
but there is a special case /usr/lib/print/lib directory has to exist.
xploit shell script is attached.


Is there any case in which the directory is created on a standard system?

Also, the code that has this bug (henceforth known as Sun bug #4334568)
was removed in Solaris 8.

Casper

  By Date           By Thread  

Current thread:
  • Re: Solaris/SPARC 2.7 lpset exploit (well not likely !) Casper Dik (May 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]