Bugtraq mailing list archives
Re: Sol2.x Mouse EXPLOIT info - CORRECTION
From: bicknell () ussenterprise async vt edu (Leo Bicknell)
Date: Tue, 17 Jan 1995 17:09:05 -0500 (EST)
Probably you weren't mumbling "I love SMI" 3 times while trying Neil's method? But seriously, as someone has already said, the bug is in one of the routines of the driver in the kernel, which passes a pointer to u-cred structure and the routine actually modifies the uid and gid (euid & egid as well) to zero. As for breakin code, I doubt if it's worth expecting it being posted
here. I'll start off by saying that we are entirely a DEC shop here...so I can't test this out myself, but I would like to see a complete summary of the problem (with some more details) as I find this one quite funny...face it, as bugs go this is a good one.
Why DEC ships off Ultrix 4.X with a weirdo /.rhosts which contains -- "# @(#).rhosts 8.1 Ultrix 9/18/92" (taken out of 4.4 ult)
There was a bug as I recall that would allow a user to create a file provided it didn't already exist (something with mail, as I recall)...Since many systems didn't have a root .rhosts, that was an easy way in. I don't think Ultrix ever had this problem, but there was a lot of 3rd party code (based on some branch of the BSD tree) that had this problem. I presume it's DEC's (feeble?) way of preventing it...
Why can't you make mountd on Ultrix 4.X reject mount requests from non-privileged ports? turning on "nfsportmon" in the kernel doesn't quite do the job properly. Things that make you go hmmm...
There are several replacements for Ultrix's mountd available with various features. Can't say I know more than that about them. -- Leo Bicknell - bicknell () vt edu | Make a little birdhouse bicknell () csugrad cs vt edu | in your soul...... bicknell () ussenterprise async vt edu | They Might http://ussenterprise.async.vt.edu/~bicknell/ | Be Giants
Current thread:
- Re: Solaris 2.4 bugs... der Mouse (Jan 13)
- Re: Solaris 2.4 bugs... Casper Dik (Jan 14)
- Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Karl Strickland (Jan 14)
- Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Scott D. Yelich (Jan 14)
- Re: Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Dave Williss (Jan 16)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Neil Woods (Jan 16)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Farrell McKay (Jan 16)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Christopher Klaus (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION jsz (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION jsz (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Leo Bicknell (Jan 17)
- (Fwd) WWW Servers on SOLARIS Bandwidth flood on Internet Darren Reed (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Christopher Klaus (Jan 17)
- Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Karl Strickland (Jan 14)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION G.J.W. Hagenaars (Jan 17)
- Re: Solaris 2.4 bugs... Casper Dik (Jan 14)
- CRACK for PCs? Robert Moskowitz (Jan 17)
- Re: CRACK for PCs? Perry E. Metzger (Jan 17)
- X security, again der Mouse (Jan 17)