From proff  Sat Jul 27 11:11:40 1996
Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id LAA03955 for best-of-security; Sat, 27 Jul 1996 11:11:40 +1000
Received: from pdx1 (pdx1.world.net [192.243.32.18]) by suburbia.net (8.7.4/Proff-950810) with SMTP id KAA01861 for <proff@suburbia.net>; Sat, 27 Jul 1996 10:30:58 +1000
Received: from brimstone.netspace.org ([128.148.157.143]) by pdx1 (8.6.9/8.6.9) with ESMTP id PAA05260 for <proff@SUBURBIA.NET>; Fri, 26 Jul 1996 15:59:06 -0700
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <25448-3673>; Fri, 26 Jul 1996 18:50:33 -0500
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id SAA18665; Fri, 26 Jul 1996 18:47:09 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with
          spool id 201181 for BUGTRAQ@NETSPACE.ORG; Fri, 26 Jul 1996 18:34:11
          -0400
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org
          (8.7/8.6.12) with SMTP id SAA17601 for <BUGTRAQ@NETSPACE.ORG>; Fri,
          26 Jul 1996 18:33:20 -0400
Approved-By: ALEPH1@UNDERGROUND.ORG
Received: from dfw.dfw.net (dfw.dfw.net [198.175.15.10]) by netspace.org
          (8.7/8.6.12) with SMTP id RAA10974 for <bugtraq@netspace.org>; Fri,
          26 Jul 1996 17:35:51 -0400
Received: from localhost by dfw.dfw.net (4.1/SMI-4.1) id AA22723; Fri, 26 Jul
          96 16:36:16 CDT
X-Received: from snowcrash.cymru.net by dfw.dfw.net (4.1/SMI-4.1) id AA15473;
            Sat, 20 Jul 96 15:13:27 CDT
X-Received: from lxorguk.ukuu.org.uk (Ulxorguk@localhost) by
            snowcrash.cymru.net (8.7.1/8.7.1) with UUCP id VAA24029 for
            dfw.net!aleph1; Sat, 20 Jul 1996 21:04:28 +0100
X-Received: by lightning.swansea.linux.org.uk (Smail3.1.29.1 #2) id
            m0uhhEZ-0005FbC; Sat, 20 Jul 96 19:58 BST
Content-Type: text
Approved-By:  Aleph One <aleph1@DFW.NET>
Message-ID: <m0uhhEZ-0005FbC@lightning.swansea.linux.org.uk>
Date: 	Fri, 26 Jul 1996 16:36:05 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
Sender: proff
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject:      Re: 2 thoughts. . .
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To:  <Pine.SUN.3.94.960720010232.25039B-100000@dfw.dfw.net> from
              "Aleph One" at Jul 20, 96 01:03:39 am

> >     rsh to a Solaris 2.3/4/5 box you have an account on, using file
> > descriptor 0 (ie your stdin) on your application issue ioctl calls for
> > things like setting the address of the loopback interface down. ie your
> > app is say "fred" rsh localhost fred and you can take down interfaces
> > etc.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Alan could you expand more on this. Has Sun made a patch available?

No idea about that.

This is a variant of an old (fixed) BSD problem. A socket created by root
gets flags set saying it can do things like SIOCSIFADDR ioctls. This was
done at the time in BSD because there was no way for the socket to get
back at the uarea concerned to check rights deep in the BSD net code.

Solaris 2.x has the same problem (for I guess similar reasons), and a root
created socket (ie fd 0 given to you by rsh) can do fun things whoever you
are.

Alan