Re: Solaris priocntl exploit

[Casper Dik <Casper.Dik () Sun COM>]

> The module's name is a relative path, priocntl will search the module file
> in only /kernel/sched and /usr/kernel/sched/ dirs.
> but unfortunately, priocntl() never check '../' in pc_clname arg
> we can use '../../../tmp/module' to make priocntl() load a module from anywhere


The "pc_clname[]" argument is limited in size; to prevent this particular
bug from being exploited you could:


        for dir in /kernel /usr/kernel
        do
                cd $dir
                mkdir -p a/b/c/d/e/f/g/h
                mv sched a/b/c/d/e/f/g/h
                ln -s a/b/c/d/e/f/g/h/sched .
        done


Casper