Solaris8-10のローカルユーザがI_PEEK ioctlでごにょごにょ可能みたいです。

/*
 * $Id: raptor_peek.c,v 1.1 2007/10/18 08:09:02 raptor Exp $
 *
 * raptor_peek.c - Solaris fifofs I_PEEK kernel memory leak
 * Copyright (c) 2007 Marco Ivaldi <raptor@0xdeadbeef.info>
 *
 * [Lame] integer signedness error in FIFO filesystems (named pipes) on Sun 
 * Solaris 8 through 10 allows local users to read the contents of unspecified 
 * memory locations via a negative value to the I_PEEK ioctl (CVE-2007-5225).
 *
 *        /\   AS PART OF A VAST WORLD-WIDE CONSPIRACY              
 *  hjm  /  \   I COMMAND THEE:  BEAT OFF UNTO ME                   
 *      /,--.\                                                      
 *     /< () >\   IF I SAY "FNORD" AT THE END OF A SENTENCE         
 *    /  `--'  \   DOES THAT MAKE ME REALLY FUNNY OR SOMEONE        
 *   /          \   WHO NEEDS TO GET FUCKING BEATEN TO NEAR         
 *  /            \   DEATH AND THEN RAPED WITH A BROOM              
 * /______________\                                                 
 *                  AS YOU CAN SEE THAT'S REALLY TWO JOKES IN ONE
 *                   SO YOU REALLY GET YOUR MONEY'S WORTH HERE   
 * Usage:
 * $ gcc raptor_peek.c -o raptor_peek -Wall
 * $ ./raptor_peek kerndump 666666
 * [...]
 * $ ls -l kerndump 
 * -rwx------   1 raptor   staff     666666 Oct 17 19:33 kerndump
 *
 * Vulnerable platforms (SPARC):
 * Solaris 8 without patch 109454-06 [tested]
 * Solaris 9 without patch 117471-04 [tested]
 * Solaris 10 without patch 127737-01 [tested]
 *
 * Vulnerable platforms (x86):
 * Solaris 8 without patch 109455-06 [untested]
 * Solaris 9 without patch 117472-04 [untested]
 * Solaris 10 without patch 127738-01 [untested]
 */