Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..)

[karl () bagpuss demon co uk (Karl Strickland)]

> > > > Does anybody have information about the Solaris 2.4 bug fixed in the
> > > > patch Patch-ID# 102044-01 :
> > > > SunOS 5.4: bug in mouse code makes "break root" attack possible
> > > The bug was in Solaris 2.3 and yes it was the mouse driver.
> > > I'm still mulling over the propriety of posting the 3 line C program
> > > that expliots this hole and gives any user root.
> >
> > Personally, I'd advise against posting it - but some description of the
> > bug would be appreciated.  (Does some ioctl not check its arguments
> > sufficiently stringently, for example?)  Or if you don't understand it
> > and don't want to go to the trouble to figure it out, I'm sure someone
> > with a Solaris 2.3 system would volunteer to do so.  I'd volunteer
> > myself except that I don't have access to any such system.
>
>
> The problem is that the code uses and changes the user's cred
> structure, instead of allocating a new one (which is what happens
> in Solaris 2.2 and earlier).
>
> Casper

OK, Exploit details:

1) place pointer exactly in centre of screen
2) start to spiral out ANTICLOCKWISE - this movement must be
   smooth and finish in the top left corner
3) as soon as you reach the top left corner, unplug the mouse within
   4 seconds.
4) You should then be at the # prompt.

Have Fun.


------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD               |                    Karl Strickland
PGP 2.3a Public Key Available.            | Internet: karl () bagpuss demon co uk
                                          |