Failure of Solaris and old BSD versions to honor the filesystem permissions of unix domain sockets.
Solaris (including SunOS) and old (4.3 and earlier) versions of BSD don't honor permissions on the filesystem representations of unix domain sockets. A lot of programmers might not realize that anyone can send data to their programs by writing to the "file".
Thamer Al-Herbish <email@example.com> posted this to bugtraq, but it was somewhat well known.
write malicious data to unsuspecting applications
Solaris 2.5 and earlier (not sure about 2.5.1). Version 2.6 will supposedly not be vulnerable.
17 May 1997
Date: Sat, 17 May 1997 11:43:47 +0000
From: Thamer Al-Herbish <firstname.lastname@example.org>
Subject: UNIX domain socket (Solarisx86 2.5)
On Solarisx86 2.5 I was able to connect to a unix domain socket,
*regardless* of permissions. After posting about it on a solaris usenet
group the only recommendation anyone gave me was to create it in an
unreadable directory. So the attacker would have to guess its name.
Still *anyone* could of connected to that domain socket, and fed my
application bogus data.
I had a look at any applications that use it. I found screen does, but
luckily in its autoconfig it decides to use pipes.
This behaviour is not present on other OSs I tested it on. (mostly BSD
This was discovered a few months ago with just about all recommended
patches applied. Since then I've moved onto safer pastures.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: