OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1996: Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit

Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit

Tim Newsham (newshamaloha.net)
Wed, 20 Nov 1996 18:37:36 -1000

> > The exploit does not work on my 2.5.1 Ultra-1.  Presumably this is
> > just a matter of getting the machine code right for the platform. ;)
>
> According to Dave Miller (Linux sparc guru) the I & D caches on the ultra
> are not coherent, so you'll need to find a way to flush the I cache.

Cache coherency is not the problem here.  The
exploit uses an opcode (twice) that causes an illegal
instruction exception on sun4u.  Replacing the
instruction with something appropriate for sun4u
results in a working exploit.  The instruction is
the "ta" instruction, a working opcode is "ta 8" for
both occurances.

> Alan

                                Tim N.