sun.5.6.lpset.txt

`Date: Tue, 11 May 1999 11:43:46 +0900  
From: kim yong-jun homepage=ce.hannam.ac.kr/~s96192 <[email protected]>  
To: [email protected]  
Subject: SunOS 5.6 (X86) lpset vulnerability  
  
This is my second post to ButTraq.  
If this is old, I'm sorry.  
  
  
It's buffer overflow in "/usr/bin/lpset".  
  
View this command :  
[loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1006'` loveyou  
  
[loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1007'` loveyou  
Segmentation fault  
  
:)  
  
byebye..  
  
>-------------------------------------------------------------<  
Loveyou's World  
Yong-Jun , Kim ( [email protected] )   
Network Engineer  
>-------------------------------------------------------------<  
  
--------------------------------------------------------------------------  
  
Date: Tue, 11 May 1999 22:39:25 -0500  
From: Craig Johnston <[email protected]>  
To: [email protected]  
Subject: Re: SunOS 5.6 (X86) lpset vulnerability  
  
On Tue, 11 May 1999, kim yong-jun homepage=ce.hannam.ac.kr/~s96192 wrote:  
  
> This is my second post to ButTraq.  
> If this is old, I'm sorry.  
>  
>  
> It's buffer overflow in "/usr/bin/lpset".  
>  
> View this command :  
> [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1006'` loveyou  
>  
> [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1007'` loveyou  
> Segmentation fault  
  
On my Solaris 2.6 and 2.7 systems, unless you are already uid 0 or  
are gid 14 lpset bombs before it can dump core, with "Permission  
denied: not in group 14."  
  
It dumps core as root.  
  
So apparently this will only get one a gid 14 -> uid 0 upgrade.  
  
I found on my Solaris systems I had already stripped the setuid bit  
because we don't use the program and Sun does a truly pathetic job of  
rooting the buffer overflows out of their setuid code.  
  
With the number of units of Solaris that are sold, every setuid/setgid  
binary on the system should have been audited for overflows. It's  
really pathetic that we are still seeing them.  
  
It's especially cute when Sun ships a new version with holes for which  
patches were available for the previous version. (see 'ufsrestore')  
  
--------------------------------------------------------------------------  
  
Date: Thu, 13 May 1999 11:39:18 -0500  
From: Sam Carter <[email protected]>  
To: [email protected]  
Subject: Re: SunOS 5.6 (X86) lpset vulnerability  
  
It failed with: 'Permission denied: not in group 14' when I tried it on a  
SunOS 5.6 Generic_105181-11 sun4u sparc SUNW,Ultra-250  
  
the header stated that this was for x86, but the manpage says that:  
Only a superuser or a member of Group 14 may execute lpset.  
and I'm assuming that is the same on both architectures.  
  
--sam  
  
--------------------------------------------------------------------------  
  
Date: Thu, 13 May 1999 12:16:31 -0600  
From: Holt Sorenson <[email protected]>  
To: [email protected]  
Subject: Re: SunOS 5.6 (X86) lpset vulnerability  
  
On Tue, May 11, 1999 at 11:43:46AM +0900, kim yong-jun homepage=ce.hannam.ac.kr/~s96192 wrote:  
> This is my second post to ButTraq.  
> If this is old, I'm sorry.  
>   
>   
> It's buffer overflow in "/usr/bin/lpset".  
>   
> View this command :  
> [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1006'` loveyou  
>   
> [loveyou@/] % /usr/bin/lpset -a key=`perl -e 'print "x" x 1007'` loveyou  
> Segmentation fault  
This is also present on 2.6 sparc and on 2.7 sparc:  
  
Thu May 13 12:11:59  
host1 ~ 294 $ uname -a  
SunOS host1 5.7 Generic_106541-01 sun4u sparc SUNW,Ultra-1  
  
Thu May 13 12:12:10  
host1 ~ 292 $ /usr/bin/lpset -a key=`perl -e 'print "x" x 1011'` alpr  
Segmentation Fault  
  
[host2] /home/user 131 > uname -a  
SunOS host2 5.6 Generic_105181-13 sun4u sparc SUNW,Ultra-1  
  
[host2] /home/user 131 > /usr/bin/lpset -a \   
key=`perl -e 'print "x" x 1011'` alpr  
Segmentation Fault  
  
--   
  
Holt Sorenson  
[email protected] http://www.uen.org/staff/hso  
PGP key id 0x4557CBD3 11/17/97 (DSS/Diffie-Hellman)  
PGP key fingerprint "EED8 93AF 9A77 8A7A A7DB 5041 B7E1 47BA 4557 CBD3"  
  
--------------------------------------------------------------------------  
  
Date: Fri, 14 May 1999 00:58:27 -0400  
From: James Edwards <[email protected]>  
To: [email protected]  
Subject: Re: SunOS 5.6 (X86) lpset vulnerability  
  
Sam Carter wrote:  
  
> It failed with: 'Permission denied: not in group 14' when I tried it on a  
> SunOS 5.6 Generic_105181-11 sun4u sparc SUNW,Ultra-250  
>  
> the header stated that this was for x86, but the manpage says that:  
> Only a superuser or a member of Group 14 may execute lpset.  
> and I'm assuming that is the same on both architectures.  
>  
> --sam  
  
i get the same results on the x86 architecture...  
  
`