> > Hi -- > > Browsing through some archived "bugtraq" messages I discovered a > really nifty way to change the effective and real userid of any > process running under SunOS 4.1.x (well, at least 4.1.2 and 4.1.3x). > That particular hole is demonstrably exploitable under Solaris 2.3 > (and I assume Solaris 2.4), except for one little problem.... > I'd have to think...we used to be able to do this via the prom debugger. We wouldn't have to know any address ahead of time, but could walk the kernels tables in the debugger from the prom prompt. If anyone really cares I could probably figure it out for Solaris 2, but I'm not sure of the point. I'd hope everyone knows that physical security is important, and that if you don't have it your in deep doo-doo. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/