Bugtraq mailing list archives
Re: Sol2.x Mouse EXPLOIT info - CORRECTION
From: jsz () ramon bgu ac il (jsz)
Date: Tue, 17 Jan 1995 22:15:27 +0200 (IST)
Whoopssss -- sent an empty message, sorry!
This will NOT work on Solaris 2.X boxes. The spiraling out should in fact be CLOCKWISE. An anticlockwise movement will give a shell running as user nobody, rather than as uid 0! Top left is however important, so that we have 0,0 stored in cred->uid and cred->gid. Due to the nature of the mouse driver, an anticlockwise movement would spiral the uid/gid pair to the largest uid available on the system, which under normal conditions would be user nobody.I tried it both boths and neither are successful, what am I doing wrong?!@?!
Probably you weren't mumbling "I love SMI" 3 times while trying Neil's method? But seriously, as someone has already said, the bug is in one of the routines of the driver in the kernel, which passes a pointer to u-cred structure and the routine actually modifies the uid and gid (euid & egid as well) to zero. As for breakin code, I doubt if it's worth expecting it being posted here. Why ifconfig never shows up PROMISC flag on 2.X, even if it *is* in PROMISC mode ? What's up with a "+" in /etc/hosts.equiv in Solaris 1.1.2 aka 4.1.4, or Why DEC ships off Ultrix 4.X with a weirdo /.rhosts which contains -- "# @(#).rhosts 8.1 Ultrix 9/18/92" (taken out of 4.4 ult) Why can't you make mountd on Ultrix 4.X reject mount requests from non-privileged ports? turning on "nfsportmon" in the kernel doesn't quite do the job properly. Things that make you go hmmm... rgrds,
Current thread:
- Re: Solaris 2.4 bugs... der Mouse (Jan 13)
- Re: Solaris 2.4 bugs... Casper Dik (Jan 14)
- Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Karl Strickland (Jan 14)
- Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Scott D. Yelich (Jan 14)
- Re: Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Dave Williss (Jan 16)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Neil Woods (Jan 16)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Farrell McKay (Jan 16)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Christopher Klaus (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION jsz (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION jsz (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Leo Bicknell (Jan 17)
- (Fwd) WWW Servers on SOLARIS Bandwidth flood on Internet Darren Reed (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Christopher Klaus (Jan 17)
- Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Karl Strickland (Jan 14)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION G.J.W. Hagenaars (Jan 17)
- Re: Solaris 2.4 bugs... Casper Dik (Jan 14)
- CRACK for PCs? Robert Moskowitz (Jan 17)
- Re: CRACK for PCs? Perry E. Metzger (Jan 17)
- X security, again der Mouse (Jan 17)