Re: Solaris ld.so possibly vulnerable?

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Bryan P. Self: "AIX xlock (Exploit)"
• Previous message: Philip Guenther: "Re: procmail"
• Maybe in reply to: Dan Fleisher: "Solaris ld.so possibly vulnerable?"
• Next in thread: Adam Morrison: "Re: Solaris ld.so possibly vulnerable?"

> Hi, here is the results of a test which indicate that Solaris (2.4 at
> least) ld.so might be vulnerable to this overflow:
>
> memset(b, 'A', sizeof(b));
>
> putenv("LD_PRELOAD=foobar");
>
> execl(argv[1], b, 0);
> write(2, err2, sizeof(err2));
>
> bash$ sot /bin/sh
> Segmentation Fault (core dumped)

I thought sot might be segfaulting before it came time to exec anything
due to the fact that b isnt null terminated, but terminating it didn't
change anything. Using gdb on sot on slowaris x86:

Program received signal SIGTRAP, Trace/breakpoint trap.
0x8000546a in ?? ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x8000cec2 in ?? () from /usr/lib/libdl.so.1
(gdb)

So something is obviously going haywire in the dynamic loader...

• Next message: Bryan P. Self: "AIX xlock (Exploit)"
• Previous message: Philip Guenther: "Re: procmail"
• Maybe in reply to: Dan Fleisher: "Solaris ld.so possibly vulnerable?"
• Next in thread: Adam Morrison: "Re: Solaris ld.so possibly vulnerable?"