Date: Tue, 11 May 1999 11:43:46 +0900 From: kim yong-jun homepage=ce.hannam.ac.kr/~s96192 To: BUGTRAQ@netspace.org Subject: SunOS 5.6 (X86) lpset vulnerability This is my second post to ButTraq. If this is old, I'm sorry. It's buffer overflow in "/usr/bin/lpset". View this command : [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1006'` loveyou [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1007'` loveyou Segmentation fault :) byebye.. >-------------------------------------------------------------< Loveyou's World Yong-Jun , Kim ( bugscan@kosnet.net ) Network Engineer >-------------------------------------------------------------< -------------------------------------------------------------------------- Date: Tue, 11 May 1999 22:39:25 -0500 From: Craig Johnston To: BUGTRAQ@netspace.org Subject: Re: SunOS 5.6 (X86) lpset vulnerability On Tue, 11 May 1999, kim yong-jun homepage=ce.hannam.ac.kr/~s96192 wrote: > This is my second post to ButTraq. > If this is old, I'm sorry. > > > It's buffer overflow in "/usr/bin/lpset". > > View this command : > [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1006'` loveyou > > [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1007'` loveyou > Segmentation fault On my Solaris 2.6 and 2.7 systems, unless you are already uid 0 or are gid 14 lpset bombs before it can dump core, with "Permission denied: not in group 14." It dumps core as root. So apparently this will only get one a gid 14 -> uid 0 upgrade. I found on my Solaris systems I had already stripped the setuid bit because we don't use the program and Sun does a truly pathetic job of rooting the buffer overflows out of their setuid code. With the number of units of Solaris that are sold, every setuid/setgid binary on the system should have been audited for overflows. It's really pathetic that we are still seeing them. It's especially cute when Sun ships a new version with holes for which patches were available for the previous version. (see 'ufsrestore') -------------------------------------------------------------------------- Date: Thu, 13 May 1999 11:39:18 -0500 From: Sam Carter To: BUGTRAQ@netspace.org Subject: Re: SunOS 5.6 (X86) lpset vulnerability It failed with: 'Permission denied: not in group 14' when I tried it on a SunOS 5.6 Generic_105181-11 sun4u sparc SUNW,Ultra-250 the header stated that this was for x86, but the manpage says that: Only a superuser or a member of Group 14 may execute lpset. and I'm assuming that is the same on both architectures. --sam -------------------------------------------------------------------------- Date: Thu, 13 May 1999 12:16:31 -0600 From: Holt Sorenson To: BUGTRAQ@netspace.org Subject: Re: SunOS 5.6 (X86) lpset vulnerability On Tue, May 11, 1999 at 11:43:46AM +0900, kim yong-jun homepage=ce.hannam.ac.kr/~s96192 wrote: > This is my second post to ButTraq. > If this is old, I'm sorry. > > > It's buffer overflow in "/usr/bin/lpset". > > View this command : > [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1006'` loveyou > > [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1007'` loveyou > Segmentation fault This is also present on 2.6 sparc and on 2.7 sparc: Thu May 13 12:11:59 host1 ~ 294 $ uname -a SunOS host1 5.7 Generic_106541-01 sun4u sparc SUNW,Ultra-1 Thu May 13 12:12:10 host1 ~ 292 $ /usr/bin/lpset -a key=`perl -e 'print "x" x 1011'` alpr Segmentation Fault [host2] /home/user 131 > uname -a SunOS host2 5.6 Generic_105181-13 sun4u sparc SUNW,Ultra-1 [host2] /home/user 131 > /usr/bin/lpset -a \ key=`perl -e 'print "x" x 1011'` alpr Segmentation Fault -- Holt Sorenson hso@uen.org http://www.uen.org/staff/hso PGP key id 0x4557CBD3 11/17/97 (DSS/Diffie-Hellman) PGP key fingerprint "EED8 93AF 9A77 8A7A A7DB 5041 B7E1 47BA 4557 CBD3" -------------------------------------------------------------------------- Date: Fri, 14 May 1999 00:58:27 -0400 From: James Edwards To: BUGTRAQ@netspace.org Subject: Re: SunOS 5.6 (X86) lpset vulnerability Sam Carter wrote: > It failed with: 'Permission denied: not in group 14' when I tried it on a > SunOS 5.6 Generic_105181-11 sun4u sparc SUNW,Ultra-250 > > the header stated that this was for x86, but the manpage says that: > Only a superuser or a member of Group 14 may execute lpset. > and I'm assuming that is the same on both architectures. > > --sam i get the same results on the x86 architecture...