Re: Solaris 2.5.1 party piece

Davin Milun (milun@CS.BUFFALO.EDU)
Thu, 03 Jul 1997 13:20:01 -0400

>From owner-bugtraq@NETSPACE.ORG Thu Jun 19 14:29 EDT 1997
>Date: Thu, 19 Jun 1997 15:27:39 +0100
>From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
>Subject: Solaris 2.5.1 party piece
>
> Well CERT have had this for a year, AUSCERT for a couple of weeks and
>now its time bugtraq had it
>
>cc solarisuck.c -o solarisuck -lsocket
>rsh localhost ./solarisuck
>
...
>
>You can adjust this to do other things. Basically any user can do network
>control requests on a root created socket descriptor.
>
>
>Workarounds:
> 1. Disable rsh and any non root owned inetd tasks - breaks remote tar etc
> 2. Run an OS that the vendor doesnt take a year to fix bugs in
>
> I have the original emails from Sun folks (Casper Dik, Alec Muffett and co)
> to prove Sun have sat on this for ages.

It seems that Sun has finally fixed this.

Patch 103093-13 (Solaris 2.5 SPARC) claims to fix (among others) the
following problem:
1238582 privileged ifconfig ioctls by normal user succeed on sockets created as
root

Davin.

--
Davin Milun    Internet:  milun@cs.Buffalo.EDU     milun@acm.org
               Fax:       (716) 645-3464
               WWW:       http://www.cs.buffalo.edu/~milun/