Bugtraq mailing list archives
Re: Solaris 2.4 bugs...
From: casper () fwi uva nl (Casper Dik)
Date: Sat, 14 Jan 1995 16:34:09 +0100
Does anybody have information about the Solaris 2.4 bug fixed in the patch Patch-ID# 102044-01 : SunOS 5.4: bug in mouse code makes "break root" attack possibleThe bug was in Solaris 2.3 and yes it was the mouse driver. I'm still mulling over the propriety of posting the 3 line C program that expliots this hole and gives any user root.Personally, I'd advise against posting it - but some description of the bug would be appreciated. (Does some ioctl not check its arguments sufficiently stringently, for example?) Or if you don't understand it and don't want to go to the trouble to figure it out, I'm sure someone with a Solaris 2.3 system would volunteer to do so. I'd volunteer myself except that I don't have access to any such system.
The problem is that the code uses and changes the user's cred structure, instead of allocating a new one (which is what happens in Solaris 2.2 and earlier). Casper
Current thread:
- Re: Solaris 2.4 bugs... der Mouse (Jan 13)
- Re: Solaris 2.4 bugs... Casper Dik (Jan 14)
- Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Karl Strickland (Jan 14)
- Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Scott D. Yelich (Jan 14)
- Re: Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Dave Williss (Jan 16)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Neil Woods (Jan 16)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Farrell McKay (Jan 16)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Christopher Klaus (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION jsz (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION jsz (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Leo Bicknell (Jan 17)
- (Fwd) WWW Servers on SOLARIS Bandwidth flood on Internet Darren Reed (Jan 17)
- Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Karl Strickland (Jan 14)
- Re: Solaris 2.4 bugs... Casper Dik (Jan 14)