Solaris 8/9/10 fifofs I_PEEK Local Kernel memory Leak Exploit
hjmがkjmに見えたのは内緒w、、、ぁーーーhajimeのhjmか!!!ってことは、kjm hjmでファイナルアンサー?w
Solaris8-10のローカルユーザがI_PEEK ioctlでごにょごにょ可能みたいです。
/* * $Id: raptor_peek.c,v 1.1 2007/10/18 08:09:02 raptor Exp $ * * raptor_peek.c - Solaris fifofs I_PEEK kernel memory leak * Copyright (c) 2007 Marco Ivaldi <raptor@0xdeadbeef.info> * * [Lame] integer signedness error in FIFO filesystems (named pipes) on Sun * Solaris 8 through 10 allows local users to read the contents of unspecified * memory locations via a negative value to the I_PEEK ioctl (CVE-2007-5225). * * /\ AS PART OF A VAST WORLD-WIDE CONSPIRACY * hjm / \ I COMMAND THEE: BEAT OFF UNTO ME * /,--.\ * /< () >\ IF I SAY "FNORD" AT THE END OF A SENTENCE * / `--' \ DOES THAT MAKE ME REALLY FUNNY OR SOMEONE * / \ WHO NEEDS TO GET FUCKING BEATEN TO NEAR * / \ DEATH AND THEN RAPED WITH A BROOM * /______________\ * AS YOU CAN SEE THAT'S REALLY TWO JOKES IN ONE * SO YOU REALLY GET YOUR MONEY'S WORTH HERE * Usage: * $ gcc raptor_peek.c -o raptor_peek -Wall * $ ./raptor_peek kerndump 666666 * [...] * $ ls -l kerndump * -rwx------ 1 raptor staff 666666 Oct 17 19:33 kerndump * * Vulnerable platforms (SPARC): * Solaris 8 without patch 109454-06 [tested] * Solaris 9 without patch 117471-04 [tested] * Solaris 10 without patch 127737-01 [tested] * * Vulnerable platforms (x86): * Solaris 8 without patch 109455-06 [untested] * Solaris 9 without patch 117472-04 [untested] * Solaris 10 without patch 127738-01 [untested] */