Failure of Solaris and old BSD versions to honor the filesystem permissions of unix domain sockets.
| Description: | Solaris (including SunOS) and old (4.3 and earlier) versions of BSD don't honor permissions on the filesystem representations of unix domain sockets. A lot of programmers might not realize that anyone can send data to their programs by writing to the "file". |
| Author: | Thamer Al-Herbish <shadows@whitefang.com> posted this to bugtraq, but it was somewhat well known. |
| Compromise: | write malicious data to unsuspecting applications |
| Vulnerable Systems: | Solaris 2.5 and earlier (not sure about 2.5.1). Version 2.6 will supposedly not be vulnerable. |
| Date: | 17 May 1997 |
Date: Sat, 17 May 1997 11:43:47 +0000
From: Thamer Al-Herbish <shadows@whitefang.com>
To: BUGTRAQ@NETSPACE.ORG
Subject: UNIX domain socket (Solarisx86 2.5)
On Solarisx86 2.5 I was able to connect to a unix domain socket,
*regardless* of permissions. After posting about it on a solaris usenet
group the only recommendation anyone gave me was to create it in an
unreadable directory. So the attacker would have to guess its name.
Still *anyone* could of connected to that domain socket, and fed my
application bogus data.
I had a look at any applications that use it. I found screen does, but
luckily in its autoconfig it decides to use pipes.
This behaviour is not present on other OSs I tested it on. (mostly BSD
variants).
This was discovered a few months ago with just about all recommended
patches applied. Since then I've moved onto safer pastures.
--
shadows@whitefang.com
shadows@kuwait.net
Thamer Al-Herbish
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
