Re: Solaris 2.4 bugs...

Casper Dik (casper@fwi.uva.nl)
Sat, 14 Jan 1995 16:34:09 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Karl Strickland: "Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..)"
Previous message: Pete Shipley: "Re: mountd keeps vanishing (!)"
In reply to: der Mouse: "Re: Solaris 2.4 bugs..."
Next in thread: Karl Strickland: "Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..)"

>>> Does anybody have information about the Solaris 2.4 bug fixed in the
>>> patch Patch-ID# 102044-01 :
>>> SunOS 5.4: bug in mouse code makes "break root" attack possible
>> The bug was in Solaris 2.3 and yes it was the mouse driver.
>> I'm still mulling over the propriety of posting the 3 line C program
>> that expliots this hole and gives any user root.
>
>Personally, I'd advise against posting it - but some description of the
>bug would be appreciated.  (Does some ioctl not check its arguments
>sufficiently stringently, for example?)  Or if you don't understand it
>and don't want to go to the trouble to figure it out, I'm sure someone
>with a Solaris 2.3 system would volunteer to do so.  I'd volunteer
>myself except that I don't have access to any such system.


The problem is that the code uses and changes the user's cred
structure, instead of allocating a new one (which is what happens
in Solaris 2.2 and earlier).

Casper

Next message: Karl Strickland: "Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..)"
Previous message: Pete Shipley: "Re: mountd keeps vanishing (!)"
In reply to: der Mouse: "Re: Solaris 2.4 bugs..."
Next in thread: Karl Strickland: "Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..)"