>>> Does anybody have information about the Solaris 2.4 bug fixed in the >>> patch Patch-ID# 102044-01 : >>> SunOS 5.4: bug in mouse code makes "break root" attack possible >> The bug was in Solaris 2.3 and yes it was the mouse driver. >> I'm still mulling over the propriety of posting the 3 line C program >> that expliots this hole and gives any user root. > >Personally, I'd advise against posting it - but some description of the >bug would be appreciated. (Does some ioctl not check its arguments >sufficiently stringently, for example?) Or if you don't understand it >and don't want to go to the trouble to figure it out, I'm sure someone >with a Solaris 2.3 system would volunteer to do so. I'd volunteer >myself except that I don't have access to any such system. The problem is that the code uses and changes the user's cred structure, instead of allocating a new one (which is what happens in Solaris 2.2 and earlier). Casper