Bugtraq mailing list archives
re: Solaris priocntl exploit
From: Jeff Damens <jdamens () ebbets poly edu>
Date: Wed, 27 Nov 2002 18:12:38 -0500 (EST)
Solaris's Got Big problem on System Call priocntl() syscall priocntl(2) is used as process scheduler control ... as it said, pc_clname points to a string specify the module. priocntl() will load the module without any privilege check. The module's name is a relative path, priocntl will search the module file in only /kernel/sched and /usr/kernel/sched/ dirs. but unfortunately, priocntl() never check '../' in pc_clname arg
The supplied exploits definitely work (with a little fiddling) on a patched Solaris 7 system running a 32-bit kernel. The following will disable the offending syscall (priocntl) entirely; this does break nice/renice and the priocntl command. b=`isainfo -b` if [ "$b" = 32 ]; then echo 'sysent+0x70c/W nosys' | adb -k -w /dev/ksyms /dev/mem elif [ "$b" = 64 ]; then echo 'sysent+0xe1c/W nosys' | adb -k -w /dev/ksyms /dev/mem echo 'sysent32+0xe1c/W nosys' | adb -k -w /dev/ksyms /dev/mem fi (Note that isainfo wasn't available before Solaris 7). This has NOT been heavily tested; no warranty is expressed or implied. Happy Thanksgiving. Regards, Jeff Damens ---------------------------------------------------------------- Jeff Damens Unix Systems Administrator Polytechnic University jdamens () poly edu
Current thread:
- Solaris priocntl exploit 蔺毅�� (Nov 27)
- Re: Solaris priocntl exploit Casper Dik (Nov 27)
- <Possible follow-ups>
- Re: Solaris priocntl exploit Casper Dik (Nov 28)
- re: Solaris priocntl exploit Jeff Damens (Nov 29)