Re: Sol2.x Mouse EXPLOIT info - CORRECTION

[bicknell () ussenterprise async vt edu (Leo Bicknell)]

> Probably you weren't mumbling "I love SMI" 3 times while trying Neil's method?
> But seriously, as someone has already said, the bug is in one of the routines
> of the driver in the kernel, which passes a pointer to u-cred structure 
> and the routine actually modifies the uid and gid (euid & egid as well) to 
> zero.
>
> As for breakin code, I doubt if it's worth expecting it being posted
here.

        I'll start off by saying that we are entirely a DEC shop
here...so I can't test this out myself, but I would like to see
a complete summary of the problem (with some more details) as
I find this one quite funny...face it, as bugs go this is a good
one.

> Why DEC ships off Ultrix 4.X with a weirdo /.rhosts which contains --
> "#       @(#).rhosts     8.1     Ultrix  9/18/92"  (taken out of 4.4 ult)

        There was a bug as I recall that would allow
a user to create a file provided it didn't already exist
(something with mail, as I recall)...Since many systems
didn't have a root .rhosts, that was an easy way in.  I don't
think Ultrix ever had this problem, but there was a lot of 3rd
party code (based on some branch of the BSD tree) that had
this problem.  I presume it's DEC's (feeble?) way of
preventing it...

> Why can't you make mountd on Ultrix 4.X reject mount requests from 
> non-privileged ports? turning on "nfsportmon" in the kernel doesn't
> quite do the job properly. Things that make you go hmmm...

        There are several replacements for Ultrix's mountd available
with various features.  Can't say I know more than that about them.


-- 
Leo Bicknell - bicknell () vt edu                     | Make a little birdhouse
               bicknell () csugrad cs vt edu          | in your soul......
               bicknell () ussenterprise async vt edu | They Might
http://ussenterprise.async.vt.edu/~bicknell/       | Be Giants