[1490] in bugtraq
Re: Pointer to a process's credential structure?
daemon@ATHENA.MIT.EDU (Patrick Horgan)
Sat Apr 15 15:35:18 1995
Date: Fri, 14 Apr 1995 09:17:25 +0800
From: patrick@oes.amdahl.com (Patrick Horgan)
To: bugtraq@fc.net, fritchie@stolaf.edu
>
> Hi --
>
> Browsing through some archived "bugtraq" messages I discovered a
> really nifty way to change the effective and real userid of any
> process running under SunOS 4.1.x (well, at least 4.1.2 and 4.1.3x).
> That particular hole is demonstrably exploitable under Solaris 2.3
> (and I assume Solaris 2.4), except for one little problem....
>
I'd have to think...we used to be able to do this via the prom debugger.
We wouldn't have to know any address ahead of time, but could walk the
kernels tables in the debugger from the prom prompt. If anyone really
cares I could probably figure it out for Solaris 2, but I'm not sure
of the point. I'd hope everyone knows that physical security is important,
and that if you don't have it your in deep doo-doo.
Patrick
_______________________________________________________________________
/ These opinions are mine, and not Amdahl's (except by coincidence;). \
| (\ |
| Patrick J. Horgan Amdahl Corporation \\ Have |
| patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword |
| Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will |
| FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel |
\___________________________O16-2294________________________\)__________/
