Return-Path: owner-bugtraq@SECURITYFOCUS.COM X-Mailer: USANET web-mailer (M3.4.0.33) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Message-ID: <20000106192435.7204.qmail@nw175.netaddress.usa.net> Date: Thu, 6 Jan 2000 13:24:35 CST Reply-To: Brock Tellier Sender: Bugtraq List From: Brock Tellier Subject: Re: [Hackerslab bug_paper] Solaris chkperm buffer overflow X-To: "±è¿ëÁØ KimYongJun (99Á¹¾÷)" , BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM >[Hackerslab bug_paper] Solaris chkperm buffer overflow > >[Hackerslab:/users/loveyou/buf]$ chkperm -n `perl -e 'print "x" x 200'` >Segmentation fault (core dumped) > >it is recommended that the suid bit is >removed from chkperm using command : > > chmod 400 /usr/vmsys/bin/chkperm Hrm, yeah, I found this one some months ago while I was checking out chkp= erm's ability to read bin-owned files. After some testing I concluded that, at= least on SPARC, the function where the overflow occurs will exit() before= it is allowed to return (and then return again), meaning that a buffer overf= low exploit is probably not possible. I would be interested to see if anyone= came to a different conclusion. Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier@usa.net - www.technotronic.com/xnec ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=3D= 1