|
Bugtraq
mailing list archives
crash security hole (Was: Re: finger-bombing, abuse timeout)
From: carson () lehman com (carson () lehman com)
Date: Fri, 14 Oct 1994 12:20:19 -0400
Well, the crash hole is partially there under solaris as well. /dev/mem and
/dev/kmem are left open, but the gid is reset properly. Here's the partial
lsof output after a '!/opt/gnu/bin/bash' in /usr/sbin/crash:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
bash 6955 carson 0u VCHR 24, 5 0x220e9 289 /devices/pseudo/pts () 0:5->pts
bash 6955 carson 1u VCHR 24, 5 0x220e9 289 /devices/pseudo/pts () 0:5->pts
bash 6955 carson 2u VCHR 24, 5 0x220e9 289 /devices/pseudo/pts () 0:5->pts
bash 6955 carson 3r VCHR 13, 0 0x0 33 /devices/pseudo/mm () 0:mem
bash 6955 carson 4u inet 0xfca3f730 0x0 UDP *:34023
bash 6955 carson 5r VCHR 72, 1 0x0 COMMON: ksyms
bash 6955 carson 6r VCHR 13, 1 0xf01554e8 29 /devices/pseudo/mm () 0:kmem
bash 6955 carson 7r VCHR 13, 0 0xae11528 33 /devices/pseudo/mm () 0:mem
bash 6955 carson 9u inet 0xfcb2fd30 0x0 UDP *:36028
bash 6955 carson 63u VCHR 22, 0 0x0 27 /devices/pseudo/sy () 0:tty
At least I can't _write_ to /dev/mem...
--
Carson Gaspar -- carson () cs columbia edu carson () lehman com
<This is the boring business .sig - no outre sayings here>
 By Date 
By Thread
Current thread:
|
Intro
