Bugtraq mailing list archives
Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..)
From: karl () bagpuss demon co uk (Karl Strickland)
Date: Sun, 15 Jan 1995 01:34:10 +0000 (GMT)
Does anybody have information about the Solaris 2.4 bug fixed in the patch Patch-ID# 102044-01 : SunOS 5.4: bug in mouse code makes "break root" attack possibleThe bug was in Solaris 2.3 and yes it was the mouse driver. I'm still mulling over the propriety of posting the 3 line C program that expliots this hole and gives any user root.Personally, I'd advise against posting it - but some description of the bug would be appreciated. (Does some ioctl not check its arguments sufficiently stringently, for example?) Or if you don't understand it and don't want to go to the trouble to figure it out, I'm sure someone with a Solaris 2.3 system would volunteer to do so. I'd volunteer myself except that I don't have access to any such system.The problem is that the code uses and changes the user's cred structure, instead of allocating a new one (which is what happens in Solaris 2.2 and earlier). Casper
OK, Exploit details: 1) place pointer exactly in centre of screen 2) start to spiral out ANTICLOCKWISE - this movement must be smooth and finish in the top left corner 3) as soon as you reach the top left corner, unplug the mouse within 4 seconds. 4) You should then be at the # prompt. Have Fun. ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl () bagpuss demon co uk |
Current thread:
- Re: Solaris 2.4 bugs... der Mouse (Jan 13)
- Re: Solaris 2.4 bugs... Casper Dik (Jan 14)
- Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Karl Strickland (Jan 14)
- Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Scott D. Yelich (Jan 14)
- Re: Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Dave Williss (Jan 16)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Neil Woods (Jan 16)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Farrell McKay (Jan 16)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Christopher Klaus (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION jsz (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION jsz (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Leo Bicknell (Jan 17)
- (Fwd) WWW Servers on SOLARIS Bandwidth flood on Internet Darren Reed (Jan 17)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Christopher Klaus (Jan 17)
- Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..) Karl Strickland (Jan 14)
- Re: Solaris 2.4 bugs... Casper Dik (Jan 14)