> > > >>> Does anybody have information about the Solaris 2.4 bug fixed in the > >>> patch Patch-ID# 102044-01 : > >>> SunOS 5.4: bug in mouse code makes "break root" attack possible > >> The bug was in Solaris 2.3 and yes it was the mouse driver. > >> I'm still mulling over the propriety of posting the 3 line C program > >> that expliots this hole and gives any user root. > > > >Personally, I'd advise against posting it - but some description of the > >bug would be appreciated. (Does some ioctl not check its arguments > >sufficiently stringently, for example?) Or if you don't understand it > >and don't want to go to the trouble to figure it out, I'm sure someone > >with a Solaris 2.3 system would volunteer to do so. I'd volunteer > >myself except that I don't have access to any such system. > > > The problem is that the code uses and changes the user's cred > structure, instead of allocating a new one (which is what happens > in Solaris 2.2 and earlier). > > Casper > OK, Exploit details: 1) place pointer exactly in centre of screen 2) start to spiral out ANTICLOCKWISE - this movement must be smooth and finish in the top left corner 3) as soon as you reach the top left corner, unplug the mouse within 4 seconds. 4) You should then be at the # prompt. Have Fun. ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk |