Vulnerability Development mailing list archives
in.comsat buffer overflow in solaris 8
From: Robert Weber <robert.weber () COLORADO EDU>
Date: Tue, 6 Feb 2001 08:34:32 -0700
Systems effected:
Any system running Solaris 8
Background:
In solaris 8, sun eliminated the wtmp/utmp with the improved
wtmpx/utmpx. In the update of all programs that read these someone missed
a "char tty[20]" that stores a utmpx-->ut_line[32]. When pty's start
getting high in number comsat dumps core.
So what:
Well I'm not good enough to somehow put a bad pty in the utmpx and
somehow use the extra 12 chars for an exploit but I think it's shotty
work. I'd love to see an exploit but it's probaby not possible. I
reported the bug to sun last year sometime and I've never heard back, other
than "we'll look into fixing it in the next 18-36 months".
Workaround:
I guess you can use xbiff or a better mail program, It is the 21st
century and all that.
Robert Weber
University of Colorado
UnixOps
Current thread:
- in.comsat buffer overflow in solaris 8 Robert Weber (Feb 06)
