Bugtraq mailing list archives
Re: 2 thoughts. . .
From: alan () lxorguk ukuu org uk (Alan Cox)
Date: Fri, 26 Jul 1996 16:36:05 -0500
rsh to a Solaris 2.3/4/5 box you have an account on, using file descriptor 0 (ie your stdin) on your application issue ioctl calls for things like setting the address of the loopback interface down. ie your app is say "fred" rsh localhost fred and you can take down interfaces etc.^^^^^^^^^^^^^^^^^^^^^^^^^^^ Alan could you expand more on this. Has Sun made a patch available?
No idea about that. This is a variant of an old (fixed) BSD problem. A socket created by root gets flags set saying it can do things like SIOCSIFADDR ioctls. This was done at the time in BSD because there was no way for the socket to get back at the uarea concerned to check rights deep in the BSD net code. Solaris 2.x has the same problem (for I guess similar reasons), and a root created socket (ie fd 0 given to you by rsh) can do fun things whoever you are. Alan
Current thread:
- Re: 2 thoughts. . . Alan Cox (Jul 26)