Re: Sol2.x Mouse EXPLOIT info - CORRECTION
Leo Bicknell (bicknell@ussenterprise.async.vt.edu)
Tue, 17 Jan 1995 17:09:05 -0500 (EST)
> Probably you weren't mumbling "I love SMI" 3 times while trying Neil's method?
> But seriously, as someone has already said, the bug is in one of the routines
> of the driver in the kernel, which passes a pointer to u-cred structure
> and the routine actually modifies the uid and gid (euid & egid as well) to
> zero.
>
> As for breakin code, I doubt if it's worth expecting it being posted
here.
I'll start off by saying that we are entirely a DEC shop
here...so I can't test this out myself, but I would like to see
a complete summary of the problem (with some more details) as
I find this one quite funny...face it, as bugs go this is a good
one.
> Why DEC ships off Ultrix 4.X with a weirdo /.rhosts which contains --
> "# @(#).rhosts 8.1 Ultrix 9/18/92" (taken out of 4.4 ult)
There was a bug as I recall that would allow
a user to create a file provided it didn't already exist
(something with mail, as I recall)...Since many systems
didn't have a root .rhosts, that was an easy way in. I don't
think Ultrix ever had this problem, but there was a lot of 3rd
party code (based on some branch of the BSD tree) that had
this problem. I presume it's DEC's (feeble?) way of
preventing it...
> Why can't you make mountd on Ultrix 4.X reject mount requests from
> non-privileged ports? turning on "nfsportmon" in the kernel doesn't
> quite do the job properly. Things that make you go hmmm...
There are several replacements for Ultrix's mountd available
with various features. Can't say I know more than that about them.
--
Leo Bicknell - bicknell@vt.edu | Make a little birdhouse
bicknell@csugrad.cs.vt.edu | in your soul......
bicknell@ussenterprise.async.vt.edu | They Might
http://ussenterprise.async.vt.edu/~bicknell/ | Be Giants