[28032] in bugtraq
Re: Solaris priocntl exploit
daemon@ATHENA.MIT.EDU (Casper Dik)
Wed Nov 27 19:42:29 2002
Message-Id: <200211272056.gARKub3m028746@romulus.Holland.Sun.COM>
To: "=?GB2312?Q?=DD=FE=D2=E3=C1=88?=" <kk_qq@263.net>
In-reply-to: Your message of "Wed, 27 Nov 2002 11:00:11 +0800."
<20021127024912.78C4A2F813@smtp.x263.net>
Date: Wed, 27 Nov 2002 21:56:37 +0100
From: Casper Dik <Casper.Dik@Sun.COM>
>The module's name is a relative path, priocntl will search the module file
>in only /kernel/sched and /usr/kernel/sched/ dirs.
>but unfortunately, priocntl() never check '../' in pc_clname arg
>we can use '../../../tmp/module' to make priocntl() load a module from anywhere
The "pc_clname[]" argument is limited in size; to prevent this particular
bug from being exploited you could:
for dir in /kernel /usr/kernel
do
cd $dir
mkdir -p a/b/c/d/e/f/g/h
mv sched a/b/c/d/e/f/g/h
ln -s a/b/c/d/e/f/g/h/sched .
done
Casper
