Hi,
Solaris 7 on sparc 64bits crashes but you need to fill the
buffer with more than 1200 bytes.
The segfault occurs on a ldsb instruction, so I don't know if
its feasible to exploit this bug (Haven't done enough investigation).
Knowdays I'm using wrappers to prevent this kind of exploits
since I can't afford to wait for Sun's patches. If you need a quick
workaround using wrappers drop me a mail and I'll send you a simple
wrapper.
--
Filipe Almeida <[EMAIL PROTECTED]>
aka LiquidK
> -----Original Message-----
> From: Bugtraq List [mailto:[EMAIL PROTECTED]] On
> Behalf Of Robert Sink
> Sent: segunda-feira, 16 de Abril de 2001 21:48
> To: [EMAIL PROTECTED]
> Subject: Re: Solaris ipcs vulnerability
>
>
> I've tried:
>
> TZ=`/usr/local/bin/perl -e 'print "A"x1107'`
>
> ...on... both 64 bit Solaris 8 and Solaris 7 (we have no 32
> bit machines here) and cannot get the programs to crash.
> They just happily display the A's, plus the other information
> and exit normally.
>
> Solaris 7: SunOS xxx 5.7 Generic_106541-12 sun4u sparc
> Solaris 8: SunOS xxx 5.8 Generic_108528-05 sun4u sparc
>
> I keep the patches on the bleeding edge, but I can find
> nothing offhand in the latest patchdiag.xref that would have
> altered this.
