Re: Sol2.x Mouse EXPLOIT info - CORRECTION

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Farrell McKay: "Re: Sol2.x Mouse EXPLOIT info - CORRECTION"
• Previous message: Dave Williss: "Re: Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..)"
• In reply to: Karl Strickland: "Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..)"
• Next in thread: Farrell McKay: "Re: Sol2.x Mouse EXPLOIT info - CORRECTION"

> 
> OK, Exploit details:
> 
> 1) place pointer exactly in centre of screen
> 2) start to spiral out ANTICLOCKWISE - this movement must be
>    smooth and finish in the top left corner
> 3) as soon as you reach the top left corner, unplug the mouse within
>    4 seconds.
> 4) You should then be at the # prompt.
> 
> Have Fun.
> 

This will NOT work on Solaris 2.X boxes.  The spiraling out should in
fact be CLOCKWISE.  An anticlockwise movement will give a shell running
as user nobody, rather than as uid 0!

Top left is however important, so that we have 0,0 stored in cred->uid
and cred->gid.  Due to the nature of the mouse driver, an anticlockwise
movement would spiral the uid/gid pair to the largest uid available on
the system, which under normal conditions would be user nobody.

Cheers,

Neil

-- 
Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way,
M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl.

     ...like a badger with an afro throwing sparklers at the Pope...

• Next message: Farrell McKay: "Re: Sol2.x Mouse EXPLOIT info - CORRECTION"
• Previous message: Dave Williss: "Re: Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..)"
• In reply to: Karl Strickland: "Sol2.x Mouse EXPLOIT info (wsa Re: Solaris 2.4 bugs..)"
• Next in thread: Farrell McKay: "Re: Sol2.x Mouse EXPLOIT info - CORRECTION"