Vulnerability Development mailing list archives
Re: volcheck and sol 8
From: mpotter () ATPCO COM (Matthew Potter)
Date: Thu, 20 Jul 2000 16:51:30 -0400
At 10:20 PM 7/20/00 +0200, you wrote:
"MP" == Matthew Potter <mpotter () ATPCO COM> writes:MP> Anyone notice when they insert their goodies CD(the one with MP> the GNU Tools) from Solaris 8 that it auto runs a script MP> called volstart. Which user is running volstart? root?
Root. Vold runs as root. Although It might switch to another id. I'd have to poke around. volstart is a new feature with solaris 8(i've never head of it before 8)... it executes /usr/dt/bin/dtaction Run $dir_name/script_here dtaction is suid root sgid sys.
MP> So what happens if I make my own CD with a little shell script MP> which calls a prebuilt binary with a setuid and setgid 0 , MP> then system("/bin/sh").... or what ever i want. I am not sure there is a way to set the setUID bit on a CD (are UFS CD still supported?), however, you may not need this.
I am not talking about setting a suidbit, which is a good idea. Just a simple 2 line C program that the system would execute a root shell/xterm up, etc.. Assuming it runs at root, I am pretty sure it does. But it might give up privledge upon executing the script/binary...
MP> It's silly since i have physical access anyways.... This way, you can send a CD with a trojan horse. Funny... This is a classical trick on Windows. "Always disable the autorun feature" :)
Yeah i've been disalbing vold for a long tine now, unless it's nessasary. For most servers you dont need it.
Current thread:
- Re: volcheck and sol 8 Dimitry Andric (Jul 20)
- <Possible follow-ups>
- Re: volcheck and sol 8 Michel Arboi (Jul 20)
- Re: volcheck and sol 8 Matthew Potter (Jul 20)
- Re: volcheck and sol 8 Marius Banica (Jul 20)
- Re: volcheck and sol 8 Jeffrey Karpenko (Jul 21)
- Re: volcheck and sol 8 Havens, Peter (Jul 21)
- Re: volcheck and sol 8 Michel Arboi (Jul 21)
- Re: volcheck and sol 8 Sarel J. Botha (Jul 23)
- Re: volcheck and sol 8 Brian Scanlan (Jul 24)