Bugtraq: Re: Solaris 2.5.1 party piece

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Solaris 2.5.1 party piece

From: milun () CS BUFFALO EDU (Davin Milun)
Date: Thu, 3 Jul 1997 13:20:01 -0400

From owner-bugtraq () NETSPACE ORG Thu Jun 19 14:29 EDT 1997
Date:         Thu, 19 Jun 1997 15:27:39 +0100
From: Alan Cox <alan () LXORGUK UKUU ORG UK>
Subject:      Solaris 2.5.1 party piece

Well CERT have had this for a year, AUSCERT for a couple of weeks and
now its time bugtraq had it

cc solarisuck.c -o solarisuck -lsocket
rsh localhost ./solarisuck

...


You can adjust this to do other things. Basically any user can do network
control requests on a root created socket descriptor.


Workarounds:
1.  Disable rsh and any non root owned inetd tasks -  breaks remote tar etc
2.  Run an OS that the vendor doesnt take a year to fix bugs in

I have the original emails from Sun folks (Casper Dik, Alec Muffett and co)
to prove Sun have sat on this for ages.


It seems that Sun has finally fixed this.

Patch 103093-13 (Solaris 2.5 SPARC) claims to fix (among others) the
following problem:
1238582 privileged ifconfig ioctls by normal user succeed on sockets created as
root

Davin.
--
Davin Milun    Internet:  milun () cs Buffalo EDU     milun () acm org
               Fax:       (716) 645-3464
               WWW:       http://www.cs.buffalo.edu/~milun/

By Date By Thread

Current thread:

Re: Solaris 2.5.1 party piece Davin Milun (Jul 03)
- Re: Solaris 2.5.1 party piece Casper Dik (Jul 03)
- Vulnerability in websendmail Razvan Dragomirescu (Jul 04)
- tar-error inter (Jul 05)
- Solution to MacDNS problem (keywords MacDNS DNS Macintosh Dan Brown (Jul 07)
- Vulnerability in websendmail (fwd) Julian Assange (Jul 07)