Bugtraq mailing list archives

Re: Solaris 2.5.1 party piece

From: milun () CS BUFFALO EDU (Davin Milun)
Date: Thu, 3 Jul 1997 13:20:01 -0400

From owner-bugtraq () NETSPACE ORG Thu Jun 19 14:29 EDT 1997
Date:         Thu, 19 Jun 1997 15:27:39 +0100
From: Alan Cox <alan () LXORGUK UKUU ORG UK>
Subject:      Solaris 2.5.1 party piece

Well CERT have had this for a year, AUSCERT for a couple of weeks and
now its time bugtraq had it

cc solarisuck.c -o solarisuck -lsocket
rsh localhost ./solarisuck

...


You can adjust this to do other things. Basically any user can do network
control requests on a root created socket descriptor.


Workarounds:
1.  Disable rsh and any non root owned inetd tasks -  breaks remote tar etc
2.  Run an OS that the vendor doesnt take a year to fix bugs in

I have the original emails from Sun folks (Casper Dik, Alec Muffett and co)
to prove Sun have sat on this for ages.


It seems that Sun has finally fixed this.

Patch 103093-13 (Solaris 2.5 SPARC) claims to fix (among others) the
following problem:
1238582 privileged ifconfig ioctls by normal user succeed on sockets created as
root

Davin.
--
Davin Milun    Internet:  milun () cs Buffalo EDU     milun () acm org
               Fax:       (716) 645-3464
               WWW:       http://www.cs.buffalo.edu/~milun/

Current thread:

Re: Solaris 2.5.1 party piece Davin Milun (Jul 03)
- Re: Solaris 2.5.1 party piece Casper Dik (Jul 03)
- Vulnerability in websendmail Razvan Dragomirescu (Jul 04)
- tar-error inter (Jul 05)
- Solution to MacDNS problem (keywords MacDNS DNS Macintosh Dan Brown (Jul 07)
- Vulnerability in websendmail (fwd) Julian Assange (Jul 07)
- Alert: Utility allows any user to become a member of local Admini Aleph One (Jul 08)
- Re: Vulnerability in websendmail Randal Schwartz (Jul 08)
- SGI Security Advisory 19970502-02-PX - xlock Vulnerability SGI Security Coordinator (Jul 08)
- Buffer Overflows exploit for SunOS 4.1.4 Willy TARREAU (Jul 08)
- GetAdmin NT exploit Christopher Klaus (Jul 08)

(Thread continues...)