Local Privilege Escalation in Solaris 8 and Solaris 9 via Buffer Overflow in passwd(1)

While remote compromises are preferred by attackers and most feared by defenders, local privilege escalation can be equally as dangerous and even harder to uncover. A buffer overflow in the passwd program used in Sun Microsystems' Solaris 8 and Solaris 9 Operating Environments can be silently exploited by a valid local user to gain root privileges. The raptor_passwd.c exploit of this vulnerability is investigated in detail. A scenario is described in which the exploit is used as an integral part of an attack. The handling of the incident by information security personnel is demonstrated.