Bugtraq mailing list archives

Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat

From: casper () HOLLAND SUN COM (Casper Dik)
Date: Thu, 28 Jan 1999 21:32:28 +0100

On Aug/25/98 Sun released the following patches for lp:

Solaris2.6 Sparc: 106235-02
Solaris2.6 x86:   106236

It is quite sad, that they did not fix another overflow in
/usr/bin/lpstat. I testified this bug on either Solaris 2.7 x86
and 2.6 Sparc, I assume that it is also present on Solaris 2.6
x86 and 2.7 Sparc.

Solaris 2.7 x86
% plasmoid@gorkie:foo> lpstat -c `perl -e 'print "A" x 998'`
% UX:lpstat: ERROR: Class
                   [...]
%                   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does
%                   not exist.
%           TO FIX: Use the "lpstat -c all" command to list
%                   all known classes.
% Segmentation Fault
% plasmoid@gorkie:foo>



Hm, but if you look at it with truss another picture appears:

It appears that the program that is core dumps is /usr/lib/lp/local/lpstat.
That program is not set-uid.  The intervening shell (hm, someone using
system again???) resets the uid.

9125:   execve("/usr/bin/lpstat", 0xFFBEF3DC, 0xFFBEF3EC)  argc = 3
9125:       *** SUID: ruid/euid/suid = 21782 / 0 / 0  ***
9125:       *** SGID: rgid/egid/sgid = 320 / 320 / 320  ***
9125:    argv: lpstat -c
9125:     
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
9126:   execve("/bin/sh", 0xFFBEEB98, 0xFFBEF404)  argc = 3
9126:    argv: sh -c
9126:     /usr/lib/lp/local/lpstat -c 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
9126:   setuid(21782)                                   = 0
9128:   execve("/usr/lib/lp/local/lpstat", 0x0003A654, 0x0003A664)  argc = 3
9128:       *** SUID: ruid/euid/suid = 21782 / 21782 / 21782  ***
9128:    argv: /usr/lib/lp/local/lpstat -c
9128:     
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
UX:lpstat: ERROR: Class
                  "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" does
                  not exist.
          TO FIX: Use the "lpstat -c all" command to list
                  all known classes.
9128:       Incurred fault #6, FLTBOUNDS  %pc = 0xFF2B679C
9128:         siginfo: SIGSEGV SEGV_MAPERR addr=0x78787878
9128:       Received signal #11, SIGSEGV [default]
9128:         siginfo: SIGSEGV SEGV_MAPERR addr=0x78787878
9128:           *** process killed ***

Current thread:

Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat plasmoid deep/thc/clb (Jan 26)
- Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat Casper Dik (Jan 28)
- <Possible follow-ups>
- Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat Aleph One (Jan 28)