This Old Vulnerability: 8LGM Loadmodule2

Dave G. | February 6th, 2006 | Filed Under: This Old Vulnerability

We have decided to introduce a new blog feature called ‘This Old Vulnerability’. The goal of this is to acknowledge vulnerabilities that were either monumental or clever. We will begin this series with a vulnerability discovered by 8LGM back in 1995, and falls under the clever category.

8LGM was one of the first (maybe even the first) vulnerability research teams to publish advisories on mailing lists like bugtraq. They performed a lot of pioneering research (primarily on SunOS 4.x and later Solaris 2.x), including some of the first buffer overflows (e.g. the infamous syslog() overflow exploited via sendmail). One of their most clever vulnerabilities involved a seemingly patched version of the setuid root loadmodule command. It had previously been vulnerable to a classic system() IFS hack, which had supposedly been fixed.

Unfortunately, Sun’s solution was to simply reset IFS using a function like putenv(). 8LGM’s response was to simply create two IFS variables before calling loadmodule. Exploit and advisory are still available.