Bugtraq: Re: Solaris priocntl exploit

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Solaris priocntl exploit

From: Casper Dik <Casper.Dik () Sun COM>
Date: Wed, 27 Nov 2002 21:56:37 +0100

The module's name is a relative path, priocntl will search the module file
in only /kernel/sched and /usr/kernel/sched/ dirs.
but unfortunately, priocntl() never check '../' in pc_clname arg
we can use '../../../tmp/module' to make priocntl() load a module from anywhere



The "pc_clname[]" argument is limited in size; to prevent this particular
bug from being exploited you could:


        for dir in /kernel /usr/kernel
        do
                cd $dir
                mkdir -p a/b/c/d/e/f/g/h
                mv sched a/b/c/d/e/f/g/h
                ln -s a/b/c/d/e/f/g/h/sched .
        done


Casper

By Date By Thread

Current thread:

Solaris priocntl exploit 蔺毅�� (Nov 27)
- Re: Solaris priocntl exploit Casper Dik (Nov 27)
- <Possible follow-ups>
- Re: Solaris priocntl exploit Casper Dik (Nov 28)
- re: Solaris priocntl exploit Jeff Damens (Nov 29)