|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Solaris/SPARC 2.7 lpset exploit (well not likely !)
From: Casper Dik (Casper.Dik
HOLLAND.SUN.COM)Date: Mon May 01 2000 - 10:08:59 CDT
- Next message: Tollef Fog Heen: "Buffer overflows in Skyline/SpinBox client"
- Previous message: cassiusHUSHMAIL.COM: "Wemilo"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>lpset seems to use strcat() to pass the argument for -r flag
> ( /usr/lib/print/lib/../../../../tmp/foo) and appends .so to the end.
>in this case /tmp/foo.so is going to be dlopen
>but there is a special case /usr/lib/print/lib directory has to exist.
>xploit shell script is attached.
Is there any case in which the directory is created on a standard system?
Also, the code that has this bug (henceforth known as Sun bug #4334568)
was removed in Solaris 8.
Casper
- Next message: Tollef Fog Heen: "Buffer overflows in Skyline/SpinBox client"
- Previous message: cassiusHUSHMAIL.COM: "Wemilo"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]