[4780] in bugtraq
Re: Fun with devices [was: Re: /dev/tcx0 crashes SunOS 4.1.4 on
daemon@ATHENA.MIT.EDU (Roger Espel Llima)
Tue Jun 24 19:42:30 1997
Date: Tue, 24 Jun 1997 21:12:58 +0200
Reply-To: Roger Espel Llima <espel@LLAIC.UNIV-BPCLERMONT.FR>
From: Roger Espel Llima <espel@LLAIC.UNIV-BPCLERMONT.FR>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.SUN.3.95.970624092729.6918A-100000@sister.ludd.luth.se>;
from Jonas Stahre on Tue, Jun 24, 1997 at 09:40:15AM +0200
On Tue, Jun 24, 1997 at 09:40:15AM +0200, Jonas Stahre wrote:
> On Mon, 23 Jun 1997, Tobias Walkowiak wrote:
> > ever tried
> > cp -p /vmunix /dev/audioctl
> > under SunOS 4.1.3? panic, dump and reboot.
>
> Then you will have to login and leave a nice entry in the log. It is
> "better" to
>
> rcp /etc/motd you@some.host:/dev/audio
>
> Panic, dump and reboot. And noone know it was you. (Works with any file,
> if you choose an au-file it will first play the sound and then crash. Lot
> of room for creativeness here.)
>
> Works on SunOS 4.1.4, and probably other versions too. Not on Solaris 5.5
> though.
The internal bug here is that fchmod() on /dev/audio (or /dev/audioctl,
or /dev/fb) crashes the kernel.
There's also "echo blah > /dev/tcp".
Like someone said, it's probably not worth repeating these
crash-sunos4-with-a-device exploits again and again, they're fairly well
known by now.
Roger
--
e-mail: espel@llaic.univ-bpclermont.fr, espel@unix.bigots.org
WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html
