Local root exploit for a buffer overflow in CDE libDtHelp library that allows local users to execute arbitrary code via a modified DTHELPUSERSEARCHPATH environment variable and the Help feature. Works against Solaris/SPARC 7/8/9. This is the ret-into-ld.so version of raptor_libdthelp.c, able to bypass the non-executable stack protection (noexec_user_stack=1 in /etc/system).
b8436092faaf18ae6c0392c009430729a21181ff6e47eb8696bfd081a924f23bLocal root exploit for a buffer overflow in CDE libDtHelp library that allows local users to execute arbitrary code via a modified DTHELPUSERSEARCHPATH environment variable and the Help feature. Works against Solaris/SPARC 7/8/9.
5e7614c63543acb78f04d9c4e7b85a01cf23e73fb1477712065be31ad5ee010biDEFENSE Security Advisory 08.25.04-2 - Exploitation of a buffer overflow in the libDtHelp library included with CDE can allow local attackers to gain root privileges. The vulnerability specifically exists due to a lack of bounds checking on the LOGNAME environment variable. Local attackers can specify a long LOGNAME to trigger a buffer overflow in any application linked with libDtHelp. The overflow is activated once the help subsystem is accessed by selecting any option under the Help menu.
4e0aced12468daa1bd790fda025e6ae00229c6c766c04cbfdc46ea9ccbd789c1Two specific flaws may allow for local root exploit of systems with CDE (Common Desktop Environment) less than 5.3.4.
6ae8d3aef331113e42c843bd40e8738e99b2cc60e654cac0c82ae6970b30c0fe
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed