mailing list archives
Solaris libc locale bug exploit against non-exec stack
From: Warning3 <warning3 () mail com>
Date: Tue, 14 Nov 2000 19:27:25 +0800
It seems Sun hasn't supplied the patch for libc locale bug yet.
Many suid programs are affected by this bug, e.g. passwd, eject ,login,
ping, rcp, etc. It is not enough just drop the "eject"'s suid bit.
You are not also safe even if you have enabled non-exec stack protection.
Attachment is the exploit against "/usr/bin/passwd" in Solaris 2.6/7
(SPARC) with non-exec stack protection.
- Solaris libc locale bug exploit against non-exec stack Warning3 (Nov 15)