Failure of Solaris and old BSD versions to honor the filesystem permissions of unix domain sockets.

Description:Solaris (including SunOS) and old (4.3 and earlier) versions of BSD don't honor permissions on the filesystem representations of unix domain sockets. A lot of programmers might not realize that anyone can send data to their programs by writing to the "file".
Author:Thamer Al-Herbish <> posted this to bugtraq, but it was somewhat well known.
Compromise:write malicious data to unsuspecting applications
Vulnerable Systems:Solaris 2.5 and earlier (not sure about 2.5.1). Version 2.6 will supposedly not be vulnerable.
Date:17 May 1997

Date: Sat, 17 May 1997 11:43:47 +0000
From: Thamer Al-Herbish <>
Subject: UNIX domain socket (Solarisx86 2.5)

On Solarisx86 2.5 I was able to connect to a unix domain socket,
*regardless* of permissions. After posting about it on a solaris usenet
group the only recommendation anyone gave me was to create it in an
unreadable directory. So the attacker would have to guess its name.
Still *anyone* could of connected to that domain socket, and fed my
application bogus data.

I had a look at any applications that use it. I found screen does, but
luckily in its autoconfig it decides to use pipes.

This behaviour is not present on other OSs I tested it on. (mostly BSD

This was discovered a few months ago with just about all recommended
patches applied. Since then I've moved onto safer pastures.

Thamer Al-Herbish

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: