{"vuid":"VU#6901","idnumber":"6901","name":"Solaris libc getopt(3) contains buffer overflow","keywords":["getopt.c","buffer overflow","root access","solaris","sun","libc"],"overview":"Solaris libc getopt(3) contains a buffer overflow vulnerability. Please note the date of this report:  1/27/1997. This does not affect current versions of Solaris.","clean_desc":"From <http://www.atstake.com/research/advisories/1997/getopt.txt>: A buffer overflow condition exists in the getopt(3) routine in Solaris libc. By supplying an invalid option and replacing argv[0] of a SUID program that uses the getopt(3) function with the appropriate address and machine code instructions, it is possible to overwrite the saved stack frame and upon return(s) force the processor to execute user supplied instructions with elevated permissions.","impact":"A local user can gain root access.","resolution":"Please see <http://au.sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&doc=secbull%2F141&display=plain>.","workarounds":"From <http://www.atstake.com/research/advisories/1997/getopt.txt>: For those with source: If you are one of the few people who have a source code license the fix should be fairly simple. Replace the sprintf() routine in getopt.c with snprintf() and rebuld libc. Super Ugly kludge fix: If you don't have the source code available (like most of us), one solution is to use adb to change the name for getopt with something like getopz, yank a publicly available getopt.c, and put it in place of getopt. See also section 4. of <http://au.sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&doc=secbull%2F141&display=plain>.","sysaffected":"","thanks":"Thanks to L0pht/@stake and Sun for information used in this document.","author":"This document was written by James T. Ellis and updated by Art Manion.","public":["http://www.atstake.com/research/advisories/1997/getopt.txt","http://au.sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&doc=secbull%2F141&display=plain"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"1998-05-21T15:46:20Z","publicdate":"1997-01-27T00:00:00Z","datefirstpublished":"2003-09-25T14:21:08Z","dateupdated":"2003-09-25T15:34:09Z","revision":7,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"4","cam_population":"5","cam_impact":"20","cam_easeofexploitation":"11","cam_attackeraccessrequired":"10","cam_scorecurrent":"3.91875","cam_scorecurrentwidelyknown":"4.95","cam_scorecurrentwidelyknownexploited":"9.075","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":3.91875,"vulnote":null}