Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Solaris 2.5.1 party piece
From: milun () CS BUFFALO EDU (Davin Milun)
Date: Thu, 3 Jul 1997 13:20:01 -0400


From owner-bugtraq () NETSPACE ORG Thu Jun 19 14:29 EDT 1997
Date:         Thu, 19 Jun 1997 15:27:39 +0100
From: Alan Cox <alan () LXORGUK UKUU ORG UK>
Subject:      Solaris 2.5.1 party piece

Well CERT have had this for a year, AUSCERT for a couple of weeks and
now its time bugtraq had it

cc solarisuck.c -o solarisuck -lsocket
rsh localhost ./solarisuck

...

You can adjust this to do other things. Basically any user can do network
control requests on a root created socket descriptor.


Workarounds:
1.  Disable rsh and any non root owned inetd tasks -  breaks remote tar etc
2.  Run an OS that the vendor doesnt take a year to fix bugs in

I have the original emails from Sun folks (Casper Dik, Alec Muffett and co)
to prove Sun have sat on this for ages.

It seems that Sun has finally fixed this.

Patch 103093-13 (Solaris 2.5 SPARC) claims to fix (among others) the
following problem:
1238582 privileged ifconfig ioctls by normal user succeed on sockets created as
root

Davin.
--
Davin Milun    Internet:  milun () cs Buffalo EDU     milun () acm org
               Fax:       (716) 645-3464
               WWW:       http://www.cs.buffalo.edu/~milun/



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]