Date: Tue, 11 May 1999 11:43:46 +0900
From: kim yong-jun homepage=ce.hannam.ac.kr/~s96192 <bugscan@KOSNET.NET>
To: BUGTRAQ@netspace.org
Subject: SunOS 5.6 (X86) lpset vulnerability

This is my second post to ButTraq.
If  this is old, I'm sorry.


It's buffer overflow in "/usr/bin/lpset".

View this command :
[loveyou@/] % /usr/bin/lpset -a key=`perl  -e 'print "x" x 1006'` loveyou

[loveyou@/] % /usr/bin/lpset -a key=`perl  -e 'print "x" x 1007'` loveyou
Segmentation fault

:)

byebye..

>-------------------------------------------------------------<
  Loveyou's World
  Yong-Jun , Kim ( bugscan@kosnet.net )                                 
  Network Engineer
>-------------------------------------------------------------<

--------------------------------------------------------------------------

Date: Tue, 11 May 1999 22:39:25 -0500
From: Craig Johnston <caj@LFN.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: SunOS 5.6 (X86) lpset vulnerability

On Tue, 11 May 1999, kim yong-jun homepage=ce.hannam.ac.kr/~s96192 wrote:

> This is my second post to ButTraq.
> If  this is old, I'm sorry.
>
>
> It's buffer overflow in "/usr/bin/lpset".
>
> View this command :
> [loveyou@/] % /usr/bin/lpset -a key=`perl  -e 'print "x" x 1006'` loveyou
>
> [loveyou@/] % /usr/bin/lpset -a key=`perl  -e 'print "x" x 1007'` loveyou
> Segmentation fault

On my Solaris 2.6 and 2.7 systems, unless you are already uid 0 or
are gid 14 lpset bombs before it can dump core, with "Permission
denied: not in group 14."

It dumps core as root.

So apparently this will only get one a gid 14 -> uid 0 upgrade.

I found on my Solaris systems I had already stripped the setuid bit
because we don't use the program and Sun does a truly pathetic job of
rooting the buffer overflows out of their setuid code.

With the number of units of Solaris that are sold, every setuid/setgid
binary on the system should have been audited for overflows.  It's
really pathetic that we are still seeing them.

It's especially cute when Sun ships a new version with holes for which
patches were available for the previous version.  (see 'ufsrestore')

--------------------------------------------------------------------------

Date: Thu, 13 May 1999 11:39:18 -0500
From: Sam Carter <petrov@OWLNET.RICE.EDU>
To: BUGTRAQ@netspace.org
Subject: Re: SunOS 5.6 (X86) lpset vulnerability

It failed with: 'Permission denied: not in group 14' when I tried it on a
SunOS 5.6 Generic_105181-11 sun4u sparc SUNW,Ultra-250

the header stated that this was for x86, but the manpage says that:
     Only a superuser or a member of Group 14 may execute lpset.
and I'm assuming that is the same on both architectures.

--sam

--------------------------------------------------------------------------

Date: Thu, 13 May 1999 12:16:31 -0600
From: Holt Sorenson <hso@UEN.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: SunOS 5.6 (X86) lpset vulnerability

On Tue, May 11, 1999 at 11:43:46AM +0900, kim yong-jun homepage=ce.hannam.ac.kr/~s96192 wrote:
> This is my second post to ButTraq.
> If  this is old, I'm sorry.
> 
> 
> It's buffer overflow in "/usr/bin/lpset".
> 
> View this command :
> [loveyou@/] % /usr/bin/lpset -a key=`perl  -e 'print "x" x 1006'` loveyou
> 
> [loveyou@/] % /usr/bin/lpset -a key=`perl  -e 'print "x" x 1007'` loveyou
> Segmentation fault
This is also present on 2.6 sparc and on 2.7 sparc:

Thu May 13 12:11:59
host1 ~ 294 $ uname -a
SunOS host1 5.7 Generic_106541-01 sun4u sparc SUNW,Ultra-1

Thu May 13 12:12:10
host1 ~ 292 $ /usr/bin/lpset -a key=`perl  -e 'print "x" x 1011'` alpr
Segmentation Fault

[host2] /home/user 131 > uname -a
SunOS host2 5.6 Generic_105181-13 sun4u sparc SUNW,Ultra-1

[host2] /home/user 131 > /usr/bin/lpset -a  \ 
                           key=`perl  -e 'print "x" x 1011'` alpr
Segmentation Fault

-- 

Holt Sorenson
hso@uen.org   http://www.uen.org/staff/hso
PGP key id 0x4557CBD3 11/17/97 (DSS/Diffie-Hellman)
PGP key fingerprint "EED8 93AF 9A77 8A7A A7DB 5041 B7E1 47BA 4557 CBD3"

--------------------------------------------------------------------------

Date: Fri, 14 May 1999 00:58:27 -0400
From: James Edwards <albeniz@EARTHLINK.NET>
To: BUGTRAQ@netspace.org
Subject: Re: SunOS 5.6 (X86) lpset vulnerability

Sam Carter wrote:

> It failed with: 'Permission denied: not in group 14' when I tried it on a
> SunOS 5.6 Generic_105181-11 sun4u sparc SUNW,Ultra-250
>
> the header stated that this was for x86, but the manpage says that:
>      Only a superuser or a member of Group 14 may execute lpset.
> and I'm assuming that is the same on both architectures.
>
> --sam

i get the same results on the x86 architecture...