Home page logo
/

bugtraq logo Bugtraq mailing list archives

Pointer to a process's credential structure?
From: fritchie () stolaf edu (Scott Lystig Fritchie)
Date: Wed, 12 Apr 1995 17:44:53 -0500


Hi --

Browsing through some archived "bugtraq" messages I discovered a
really nifty way to change the effective and real userid of any
process running under SunOS 4.1.x (well, at least 4.1.2 and 4.1.3x).
That particular hole is demonstrably exploitable under Solaris 2.3
(and I assume Solaris 2.4), except for one little problem....

... obtaining a pointer to the process's user credentials structure.
SunOS 4.1.x was kind enough to supply "pstat", but that's missing
under Solaris 2.x.  We've been scratching our head trying to find a
Solaris utility that would do the same thing, but can't find one.

Obtaining the magic address is pretty simple using:

        kvm_t *kernel;
        proc_t *ourproc;

        if (! (kernel = kvm_open(NULL, NULL, NULL, O_RDONLY, argv[0]))) {
                perror("kvm_open");
                exit(2);
        }
        if (! (ourproc = kvm_getproc(kernel, pid))) {
                perror("kvm_getproc");
                exit(3);
        }
        printf("p_cred = %lx\n", ourproc->p_cred);

... but it won't work without permission to open /dev/kmem.

It's probably a good idea to enable the hardware password feature on
our Solaris consoles anyway (or is it?), but if there's a program
bundled with Solaris that will spit out that address, there's an added
reason for doing so.  :-)

-Scott
---
Scott E. Lystig Fritchie, UNIX Systems Manager
Academic Computing Center, St. Olaf College
1510 St. Olaf Ave., Northfield, MN  55057
fritchie () stolaf edu ... 507/646.3407



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]