[642] in bugtraq
Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..)
daemon@ATHENA.MIT.EDU (Karl Strickland)
Sat Jan 14 21:38:40 1995
From: Karl Strickland <karl@bagpuss.demon.co.uk>
To: Casper Dik <casper@fwi.uva.nl>
Date: Sun, 15 Jan 1995 01:34:10 +0000 (GMT)
Cc: mouse@Collatz.McRCIM.McGill.EDU, rslau@tarazed.usc.edu, bugtraq@fc.net
In-Reply-To: <199501141534.AA04131@mail.fwi.uva.nl> from "Casper Dik" at Jan 14, 95 04:34:09 pm
>
>
> >>> Does anybody have information about the Solaris 2.4 bug fixed in the
> >>> patch Patch-ID# 102044-01 :
> >>> SunOS 5.4: bug in mouse code makes "break root" attack possible
> >> The bug was in Solaris 2.3 and yes it was the mouse driver.
> >> I'm still mulling over the propriety of posting the 3 line C program
> >> that expliots this hole and gives any user root.
> >
> >Personally, I'd advise against posting it - but some description of the
> >bug would be appreciated. (Does some ioctl not check its arguments
> >sufficiently stringently, for example?) Or if you don't understand it
> >and don't want to go to the trouble to figure it out, I'm sure someone
> >with a Solaris 2.3 system would volunteer to do so. I'd volunteer
> >myself except that I don't have access to any such system.
>
>
> The problem is that the code uses and changes the user's cred
> structure, instead of allocating a new one (which is what happens
> in Solaris 2.2 and earlier).
>
> Casper
>
OK, Exploit details:
1) place pointer exactly in centre of screen
2) start to spiral out ANTICLOCKWISE - this movement must be
smooth and finish in the top left corner
3) as soon as you reach the top left corner, unplug the mouse within
4 seconds.
4) You should then be at the # prompt.
Have Fun.
------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD | Karl Strickland
PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk
|
