COMMAND

    ospf_monitor

SYSTEMS AFFECTED

    Solaris 2.5

PROBLEM

    Joel Eriksson found following.  Take a look:

        bash$ ospf_monitor `perl -e 'print "A"x1066'`
        task_get_proto: getprotobyname("ospf") failed, using proto 89
        listening on 0.0.0.0.64527
        Segmentation Fault

        bash$ ls -l /usr/bin/ospf_monitor
        -rwsr-xr-x   1 root     other      61892 Sep 17  1997
        /usr/bin/ospf_monitor

    Seth Michael  McGann added  his confirmation  that the  version in
    FreeBSD  2.2.6  is  indeed  vulnerable,  the  stack  is   smashed.
    Fortunately, it  is not  executable by  anyone but  root or  group
    ospf.  Guess is  that solaris x86 is  vulnerable.  The exploit  is
    trivial, just change  the target in  your favorite local  overflow
    and exec.   On further inspection,  it appears ospf_monitor  drops
    privileges after  opening a  raw multicast  socket, but  before it
    overflows.  So  basically, no instant  root, but you  have an open
    raw socket descriptor, which could be useful.

SOLUTION

    Remove suid bit to be sure.