[4852] in bugtraq
Re: Solaris 2.5.1 party piece
daemon@ATHENA.MIT.EDU (Davin Milun)
Thu Jul 3 14:08:11 1997
Date: Thu, 3 Jul 1997 13:20:01 -0400
Reply-To: Davin Milun <milun@CS.BUFFALO.EDU>
From: Davin Milun <milun@CS.BUFFALO.EDU>
X-To: alan@LXORGUK.UKUU.ORG.UK
To: BUGTRAQ@NETSPACE.ORG
>From owner-bugtraq@NETSPACE.ORG Thu Jun 19 14:29 EDT 1997
>Date: Thu, 19 Jun 1997 15:27:39 +0100
>From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
>Subject: Solaris 2.5.1 party piece
>
> Well CERT have had this for a year, AUSCERT for a couple of weeks and
>now its time bugtraq had it
>
>cc solarisuck.c -o solarisuck -lsocket
>rsh localhost ./solarisuck
>
...
>
>You can adjust this to do other things. Basically any user can do network
>control requests on a root created socket descriptor.
>
>
>Workarounds:
> 1. Disable rsh and any non root owned inetd tasks - breaks remote tar etc
> 2. Run an OS that the vendor doesnt take a year to fix bugs in
>
> I have the original emails from Sun folks (Casper Dik, Alec Muffett and co)
> to prove Sun have sat on this for ages.
It seems that Sun has finally fixed this.
Patch 103093-13 (Solaris 2.5 SPARC) claims to fix (among others) the
following problem:
1238582 privileged ifconfig ioctls by normal user succeed on sockets created as
root
Davin.
--
Davin Milun Internet: milun@cs.Buffalo.EDU milun@acm.org
Fax: (716) 645-3464
WWW: http://www.cs.buffalo.edu/~milun/
