[3040] in bugtraq
Re: 2 thoughts. . .
daemon@ATHENA.MIT.EDU (Alan Cox)
Fri Jul 26 18:47:46 1996
Date: Fri, 26 Jul 1996 16:36:05 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.SUN.3.94.960720010232.25039B-100000@dfw.dfw.net> from
"Aleph One" at Jul 20, 96 01:03:39 am
> > rsh to a Solaris 2.3/4/5 box you have an account on, using file
> > descriptor 0 (ie your stdin) on your application issue ioctl calls for
> > things like setting the address of the loopback interface down. ie your
> > app is say "fred" rsh localhost fred and you can take down interfaces
> > etc.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Alan could you expand more on this. Has Sun made a patch available?
No idea about that.
This is a variant of an old (fixed) BSD problem. A socket created by root
gets flags set saying it can do things like SIOCSIFADDR ioctls. This was
done at the time in BSD because there was no way for the socket to get
back at the uarea concerned to check rights deep in the BSD net code.
Solaris 2.x has the same problem (for I guess similar reasons), and a root
created socket (ie fd 0 given to you by rsh) can do fun things whoever you
are.
Alan
