crash security hole (Was: Re: finger-bombing, abuse timeout)

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: jeromie: "Re: Hackers Out of Business?"
• Previous message: Pete Shipley: "Re: finger-bombing"
• In reply to: Charles Howes: "Re: finger-bombing, abuse timeout"
• Next in thread: Pat Myrto: "Re: finger-bombing, abuse timeout"

Well, the crash hole is partially there under solaris as well.  /dev/mem and
/dev/kmem are left open, but the gid is reset properly.  Here's the partial
lsof output after a '!/opt/gnu/bin/bash' in /usr/sbin/crash:

COMMAND     PID     USER   FD   TYPE     DEVICE   SIZE/OFF  INODE NAME
bash       6955   carson    0u  VCHR    24,   5    0x220e9    289 /devices/pseudo/pts@0:5->pts
bash       6955   carson    1u  VCHR    24,   5    0x220e9    289 /devices/pseudo/pts@0:5->pts
bash       6955   carson    2u  VCHR    24,   5    0x220e9    289 /devices/pseudo/pts@0:5->pts
bash       6955   carson    3r  VCHR    13,   0        0x0     33 /devices/pseudo/mm@0:mem
bash       6955   carson    4u  inet 0xfca3f730        0x0    UDP *:34023
bash       6955   carson    5r  VCHR    72,   1        0x0        COMMON: ksyms
bash       6955   carson    6r  VCHR    13,   1 0xf01554e8     29 /devices/pseudo/mm@0:kmem
bash       6955   carson    7r  VCHR    13,   0  0xae11528     33 /devices/pseudo/mm@0:mem
bash       6955   carson    9u  inet 0xfcb2fd30        0x0    UDP *:36028
bash       6955   carson   63u  VCHR    22,   0        0x0     27 /devices/pseudo/sy@0:tty

At least I can't _write_ to /dev/mem...

--
Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com
<This is the boring business .sig - no outre sayings here>

• Next message: jeromie: "Re: Hackers Out of Business?"
• Previous message: Pete Shipley: "Re: finger-bombing"
• In reply to: Charles Howes: "Re: finger-bombing, abuse timeout"
• Next in thread: Pat Myrto: "Re: finger-bombing, abuse timeout"