Bugtraq mailing list archives
Re: Solaris 2.5.1 party piece
From: milun () CS BUFFALO EDU (Davin Milun)
Date: Thu, 3 Jul 1997 13:20:01 -0400
From owner-bugtraq () NETSPACE ORG Thu Jun 19 14:29 EDT 1997 Date: Thu, 19 Jun 1997 15:27:39 +0100 From: Alan Cox <alan () LXORGUK UKUU ORG UK> Subject: Solaris 2.5.1 party piece Well CERT have had this for a year, AUSCERT for a couple of weeks and now its time bugtraq had it cc solarisuck.c -o solarisuck -lsocket rsh localhost ./solarisuck
...
You can adjust this to do other things. Basically any user can do network control requests on a root created socket descriptor. Workarounds: 1. Disable rsh and any non root owned inetd tasks - breaks remote tar etc 2. Run an OS that the vendor doesnt take a year to fix bugs in I have the original emails from Sun folks (Casper Dik, Alec Muffett and co) to prove Sun have sat on this for ages.
It seems that Sun has finally fixed this. Patch 103093-13 (Solaris 2.5 SPARC) claims to fix (among others) the following problem: 1238582 privileged ifconfig ioctls by normal user succeed on sockets created as root Davin. -- Davin Milun Internet: milun () cs Buffalo EDU milun () acm org Fax: (716) 645-3464 WWW: http://www.cs.buffalo.edu/~milun/
Current thread:
- Re: Solaris 2.5.1 party piece Davin Milun (Jul 03)
- Re: Solaris 2.5.1 party piece Casper Dik (Jul 03)
- Vulnerability in websendmail Razvan Dragomirescu (Jul 04)
- tar-error inter (Jul 05)
- Solution to MacDNS problem (keywords MacDNS DNS Macintosh Dan Brown (Jul 07)
- Vulnerability in websendmail (fwd) Julian Assange (Jul 07)
- Alert: Utility allows any user to become a member of local Admini Aleph One (Jul 08)
- Re: Vulnerability in websendmail Randal Schwartz (Jul 08)
- SGI Security Advisory 19970502-02-PX - xlock Vulnerability SGI Security Coordinator (Jul 08)
- Buffer Overflows exploit for SunOS 4.1.4 Willy TARREAU (Jul 08)
- GetAdmin NT exploit Christopher Klaus (Jul 08)
(Thread continues...)