OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Solaris libc locale bug exploit against non-exec stack
From: Chris Wing (wingcENGIN.UMICH.EDU)
Date: Sat Nov 18 2000 - 17:22:17 CST

Here is a workaround to the libc locale exploit in Solaris that should
work until Sun releases an official patch:

        http://www-personal.engin.umich.edu/~wingc/patches/fix-libc.c

This program modifies the Solaris libc by writing a null byte into the
first occurrence of the string "NLSPATH". Basically, it disables NLSPATH
entirely, by changing (within libc)

        getenv("NLSPATH")

into
        getenv("")

This is tested on Solaris 2.6 and stops the exploit.

To use it, make a copy of libc and run the program on that copy:

        cc -o fix-libc fix-libc.c
        cp /usr/lib/libc.so.1 some-file-name
        ./fix-libc some-file-name

Note that you should only replace libc 'atomically'; if you remove your
existing libc with a shell command, you won't be able to run another shell
command to put a new one in its place. Solaris 'mv' correctly replaces
libc in place, i.e.:

        cp /usr/lib/libc.so.1 somewhere-backup-file
        mv fixed-libc /usr/lib/libc.so.1

Be careful in any case if you do replace libc!!

-Chris Wing
wingcengin.umich.edu