|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit
Tim Newsham (newsham
aloha.net)Wed, 20 Nov 1996 18:37:36 -1000
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Dennis Simpson: "Re: gethostbyname hole"
- Previous message: Mark Graff: "Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit"
- In reply to: Alan Cox: "Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit"
> > The exploit does not work on my 2.5.1 Ultra-1. Presumably this is
> > just a matter of getting the machine code right for the platform. ;)
>
> According to Dave Miller (Linux sparc guru) the I & D caches on the ultra
> are not coherent, so you'll need to find a way to flush the I cache.
Cache coherency is not the problem here. The
exploit uses an opcode (twice) that causes an illegal
instruction exception on sun4u. Replacing the
instruction with something appropriate for sun4u
results in a working exploit. The instruction is
the "ta" instruction, a working opcode is "ta 8" for
both occurances.
> Alan
Tim N.
- Next message: Dennis Simpson: "Re: gethostbyname hole"
- Previous message: Mark Graff: "Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit"
- In reply to: Alan Cox: "Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit"