mailing list archives
Re: Solaris 2.5.1 party piece
From: milun () CS BUFFALO EDU (Davin Milun)
Date: Thu, 3 Jul 1997 13:20:01 -0400
From owner-bugtraq () NETSPACE ORG Thu Jun 19 14:29 EDT 1997
Date: Thu, 19 Jun 1997 15:27:39 +0100
From: Alan Cox <alan () LXORGUK UKUU ORG UK>
Subject: Solaris 2.5.1 party piece
Well CERT have had this for a year, AUSCERT for a couple of weeks and
now its time bugtraq had it
cc solarisuck.c -o solarisuck -lsocket
rsh localhost ./solarisuck
You can adjust this to do other things. Basically any user can do network
control requests on a root created socket descriptor.
1. Disable rsh and any non root owned inetd tasks - breaks remote tar etc
2. Run an OS that the vendor doesnt take a year to fix bugs in
I have the original emails from Sun folks (Casper Dik, Alec Muffett and co)
to prove Sun have sat on this for ages.
It seems that Sun has finally fixed this.
Patch 103093-13 (Solaris 2.5 SPARC) claims to fix (among others) the
1238582 privileged ifconfig ioctls by normal user succeed on sockets created as
Davin Milun Internet: milun () cs Buffalo EDU milun () acm org
Fax: (716) 645-3464
- Re: Solaris 2.5.1 party piece Davin Milun (Jul 03)