Re: Solaris priocntl exploit

From: Casper *** (Casper.***@Sun.COM)
Date: 11/27/02

Next message: Aaron C. Newman (Application Security, Inc.): "ASI Sybase Security Alert: Buffer overflow in DBCC CHECKVERIFY"

Previous message: Aaron C. Newman (Application Security, Inc.): "ASI Sybase Security Alert: Buffer overflow in DROP DATABASE"
In reply to: 蔺毅翀: "Solaris priocntl exploit"
Next in thread: Casper ***: "Re: Solaris priocntl exploit"
Reply: Casper ***: "Re: Solaris priocntl exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "蔺毅翀" <kk_qq@263.net>
Date: Wed, 27 Nov 2002 21:56:37 +0100
From: Casper *** <Casper.***@Sun.COM>

>The module's name is a relative path, priocntl will search the module file
>in only /kernel/sched and /usr/kernel/sched/ dirs.
>but unfortunately, priocntl() never check '../' in pc_clname arg
>we can use '../../../tmp/module' to make priocntl() load a module from anywhere

The "pc_clname[]" argument is limited in size; to prevent this particular
bug from being exploited you could:

        for dir in /kernel /usr/kernel
        do
                cd $dir
                mkdir -p a/b/c/d/e/f/g/h
                mv sched a/b/c/d/e/f/g/h
                ln -s a/b/c/d/e/f/g/h/sched .
        done

Casper

Next message: Aaron C. Newman (Application Security, Inc.): "ASI Sybase Security Alert: Buffer overflow in DBCC CHECKVERIFY"
Previous message: Aaron C. Newman (Application Security, Inc.): "ASI Sybase Security Alert: Buffer overflow in DROP DATABASE"
In reply to: 蔺毅翀: "Solaris priocntl exploit"
Next in thread: Casper ***: "Re: Solaris priocntl exploit"
Reply: Casper ***: "Re: Solaris priocntl exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]