[653] in bugtraq
Re: Sol2.x Mouse EXPLOIT info - CORRECTION
daemon@ATHENA.MIT.EDU (jsz)
Tue Jan 17 17:11:05 1995
From: jsz@ramon.bgu.ac.il (jsz)
To: cklaus@shadow.net (Christopher Klaus)
Date: Tue, 17 Jan 1995 22:15:27 +0200 (IST)
Cc: neil@legless.demon.co.uk, karl@bagpuss.demon.co.uk, bugtraq@fc.net
In-Reply-To: <199501170841.DAA25669@shadow.net> from "Christopher Klaus" at Jan 17, 95 03:41:48 am
Whoopssss -- sent an empty message, sorry!
> > This will NOT work on Solaris 2.X boxes. The spiraling out should in
> > fact be CLOCKWISE. An anticlockwise movement will give a shell running
> > as user nobody, rather than as uid 0!
> >
> > Top left is however important, so that we have 0,0 stored in cred->uid
> > and cred->gid. Due to the nature of the mouse driver, an anticlockwise
> > movement would spiral the uid/gid pair to the largest uid available on
> > the system, which under normal conditions would be user nobody.
>
> I tried it both boths and neither are successful, what am I doing wrong?!@?!
>
Probably you weren't mumbling "I love SMI" 3 times while trying Neil's method?
But seriously, as someone has already said, the bug is in one of the routines
of the driver in the kernel, which passes a pointer to u-cred structure
and the routine actually modifies the uid and gid (euid & egid as well) to
zero.
As for breakin code, I doubt if it's worth expecting it being posted here.
Why ifconfig never shows up PROMISC flag on 2.X, even if it *is* in PROMISC
mode ?
What's up with a "+" in /etc/hosts.equiv in Solaris 1.1.2 aka 4.1.4, or
Why DEC ships off Ultrix 4.X with a weirdo /.rhosts which contains --
"# @(#).rhosts 8.1 Ultrix 9/18/92" (taken out of 4.4 ult)
Why can't you make mountd on Ultrix 4.X reject mount requests from
non-privileged ports? turning on "nfsportmon" in the kernel doesn't
quite do the job properly. Things that make you go hmmm...
rgrds,
