Home page logo
/

bugtraq logo Bugtraq mailing list archives

Solaris libc locale bug exploit against non-exec stack
From: Warning3 <warning3 () mail com>
Date: Tue, 14 Nov 2000 19:27:25 +0800


It seems Sun hasn't supplied the patch for libc locale bug yet.
Many suid programs are affected by this bug, e.g. passwd, eject ,login,
ping, rcp, etc. It is not enough just drop the "eject"'s suid bit.
You are not also safe even if you have enabled non-exec stack protection.
Attachment is the exploit against "/usr/bin/passwd" in Solaris 2.6/7
(SPARC) with non-exec stack protection.

regards,
warning3

Attachment: local_nonexec_sun.c
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]