[641] in bugtraq
Re: Solaris 2.4 bugs...
daemon@ATHENA.MIT.EDU (Casper Dik)
Sat Jan 14 11:31:38 1995
To: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
Cc: rslau@tarazed.usc.edu, bugtraq@fc.net
In-Reply-To: Your message of "Fri, 13 Jan 1995 15:50:11 EST."
<199501132050.PAA04927@Collatz.McRCIM.McGill.EDU>
Date: Sat, 14 Jan 1995 16:34:09 +0100
From: Casper Dik <casper@fwi.uva.nl>
>>> Does anybody have information about the Solaris 2.4 bug fixed in the
>>> patch Patch-ID# 102044-01 :
>>> SunOS 5.4: bug in mouse code makes "break root" attack possible
>> The bug was in Solaris 2.3 and yes it was the mouse driver.
>> I'm still mulling over the propriety of posting the 3 line C program
>> that expliots this hole and gives any user root.
>
>Personally, I'd advise against posting it - but some description of the
>bug would be appreciated. (Does some ioctl not check its arguments
>sufficiently stringently, for example?) Or if you don't understand it
>and don't want to go to the trouble to figure it out, I'm sure someone
>with a Solaris 2.3 system would volunteer to do so. I'd volunteer
>myself except that I don't have access to any such system.
The problem is that the code uses and changes the user's cred
structure, instead of allocating a new one (which is what happens
in Solaris 2.2 and earlier).
Casper
